Hey community,
We currently have a lifecycle transform in SailPoint Identity Security Cloud (ISC) that checks user inactivity (last login). If a user hasn’t logged in for 60 days, they’re moved to an Inactive state. This is working as expected.
We also integrated an On Leave indicator from our HR source (Workday) using a simple 0/1 flag, and that piece is working too.
The problem we’re trying to solve is the return-from-leave scenario: a user can go on leave with a last login date that’s already far beyond the 60‑day threshold (e.g., 1 year ago). When they return and the flag flips back, they immediately fail the 60‑day inactivity check and end up in Inactive, even though they should return to Active.
To address this, we’re exploring an identity attribute that stores a date we can compare against (e.g., a “return from leave” date). We tried creating a transform to store “today’s date,” but with our current logic the date gets overwritten based on the flag changes (0 ↔ 1), which defeats the purpose.
{
“name”: “On Leave Flag”,
“type”: “static”,
“attributes”: {
“today”: {
“type”: “firstValid”,
“attributes”: {
“values”: [
{
“attributes”: {
“inputFormat”: “yyyy-MM-dd”,
“outputFormat”: “MM/dd/yyyy”,
“input”: {
“attributes”: {
“begin”: -1,
“end”: 10,
“input”: {
“attributes”: {
“expression”: “now-10h”,
“roundUp”: false,
“requiresPeriodicRefresh”: “true”
},
“type”: “dateMath”
}
},
“type”: “substring”
}
},
“type”: “dateFormat”
},
“01/01/2036”
]
}
},
“onleave”: {
“attributes”: {
“values”: [
{
“attributes”: {
“sourceName”: “Workday”,
“attributeName”: “ON_LEAVE”
},
“type”: “accountAttribute”
},
“blank”
]
},
“type”: “firstValid”
},"value": "#if($onleave=='1')$today#elseif($onleave='0')01/01/2036#{else}01/01/2036#end" }, "internal": false}
Has anyone implemented a reliable pattern to ensure users returning from leave are moved back to Active without being immediately caught by an inactivity-based inactivation rule?