Recently I faced one issue regarding the Okta account while the leaver event is triggering. The problem is, if the user has few groups that grant access to other applications (the user might have other applications also in Okta). Now, the lever is triggering (I have enabled the option called Disable account along with Remove Entitlements except Everyone group in the Leaver Rapid Setup configuration) like below, for this account leaver is failing because of the reason that the application cannot be unassigned from the user while their group memberships grant them access
The reason for this, why we are getting this, is there is a group that grants the applications in Okta. So, while leveraging is triggering, SailPoint will try to remove the applications first, so that from Okta’s perspective, it is not allowed to deassign the application that grants by group. So, first remove the group and deassign the application.
So, for that, what I did is I have removed the applications attribute request while the leaver is triggering (by default in Okta, once the user is deactivated, then Okta will take care to deassign the applications). It will only deassign applications and roles, not groups. So I have removed them from the plan in the before provisioning rule of the application, and then later, the leaver went well without any error. Once the account is deactivated in Okta, all those applications are removed from the user, so that our requirement is also fulfilled. You can check the below link for code and process.