Okta Connector - group cleanup of deactivated accounts

jrossicare · May 27, 2024, 4:01am

What problem are you observing?

If a user has a deactivated okta account and you call /v3/access-requests to Revoke the Okta group (entitlement), then ISC does the following

Re-activate Okta account
Revoke Okta group (entitlement)
Re-deactivate Okta account

This causes a whole range of issues, as re-activating the account can cause application and group assignments to kick in, and provisioning tasks from okta to endpoint systems

What is the correct behavior?

Remove Okta groups/entitlements without re-activating the account.

What product feature is this related to?

ISC Okta connector

What are the steps to reproduce the issue?

Create an identity with an Okta account
Ensure Okta account has groups assigned
Deactivate Okta account
Aggregate Okta account, so information in ISC is current
Call /v3/access-requests to Revoke Okta entitlements
Observe logs in Okta for this account.

Do you have any other information about your environment that may help?

N/A

Topic		Replies	Views
Problem with Revoke entitlement operation in Webservice connector ISC Discussion and Questions webservice-connector , apis , rules , aggregation , identity-security-cloud , provisioning , certifications , connectors , entitlements , sources	29	245	November 2, 2024
Identity Refresh in IdentityNow ISC Discussion and Questions identity-security-cloud , entitlements	6	225	November 11, 2024
Entitlements requested throught the request center keeps being provisioned ISC Discussion and Questions identity-security-cloud , provisioning , entitlements	2	157	August 5, 2024
Webservice Connector: role revoke and account disable ISC Discussion and Questions webservice-connector , identity-security-cloud	2	31	January 7, 2025
Webservice - disable account ISC Discussion and Questions webservice-connector , apis , identity-security-cloud , provisioning	9	153	December 6, 2024