Hi All,
As of now in SailPoint IDN, we are able to raise access requests for Inactive Users as well.
Is there a way in which we can prevent Inactive users to be selected while raising the access requests? In short, we are looking to prevent access requests to be raised for Inactive Users in IDN.
I donât believe thereâs an OOTB option for this, but potentially possible via segmentation and or complex approval logic in Workflow.
There are some design decisions around inactive users to consider though:
Many times itâs a more complicated question of âWhat does âinactiveâ mean?â and based on the various scenarios itâs generally not all or nothing.
I have no idea if theyâll provide anything in the near, mid, or long term. Iâm not aware of anything currently, but Iâm also not a SailPoint employee 
@colin_mckibben , once you get a chance, could you please let us know if you have any other insights on this query?
Hello @Sravya2931 , Segments are something you can look into and check if it fits your use case.
I think Ed has the right idea here. Have you looked into using Segments to group inactive users into a segment that canât request anything?
Hi @colin_mckibben , yes I am trying to work on that. During the segment creation, what access should I define here?
Enter below search query (for Define Access) that will bring all roles and access profiles,
name:*
Thanks @gauravsajwan1 for that.
Is this the correct representation to filter the identities with Inactive lifecycle state?
The reason I am asking this question is, when I enabled the segment and perform testing, I noticed even for active users, I am unable to see the role that I have included in my segment.
As per my understanding, the segment will only apply to inactive users and the role which I have included in the segment shouldnât be visible in the request center for any of the inactive users.
Segments are only applied to the requester, not the recipient. An Active user will still be able to request access for Inactive users this way.
Oh okay, thanks for the clarification @KevinHarrington , I am looking for a way in which recipients(in my case inactive users) shouldnât be made available in the request center so that no one can raise a request for these inactive users.
End goal is Inactive Users shouldnât be made available in the request center so that access request canât be submitted for them
Well, I believe apart from Segments (which rightly point out above by @KevinHarrington is only applicable to requestors), there are no other OOTB features currently available to restrict access requests being made for a defined set of identities (or recipients) in Request Center.
Forms is another new feature introduced in IDN but currently itâs not available for Request Center, but I heard it will be in some time. Once itâs available, you can customize the form as per your requirement.
You may explore another options like hosting a custom form in ServiceNow or any such product where you can customize it as per your needs but thatâs not a quick one, will take some good amount of efforts.
As Gaurav pointed out, this is not a current feature of segments and request center. There is an idea for this that you can comment on and vote for.
https://ideas.sailpoint.com/ideas/GOV-I-2021
Thank you all for your inputs on my query here.
Happy to help 
. Can you please mark the reply that most accurately solves your question as the solution? Thank you!
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
