Does ISC have the ability to do a Provisional Hold by extending the expiration date for a user via an API? Checking if anyone knows of this “Provisional Hold” that ISC can do?
We want to know if it is possible for SailPoint to extend the expiration date in AD for a few days for contractors before removing their access. I was doing some research online and that term came up that ISC can possibly do so hence why I wanted to know if this is even possible.
We wanted to give the managers a little time to finalize the renewal process before removing the contractors access completely, which would help alleviate the case of having them readded.
Yes - This is possible by using a specific Lifecycle State to represent this condition via a transform. You’d need to ensure the associated transform accounts for “Identity Type = Contractor” and “End Date > now AND less then now + 3 days”.
You can create a custom identity attribute and define a transform that checks if the user is a contractor. If so, it sets the value to the Expiration/End Date plus X days. Then, you can enable Attribute Sync for this Expiration attribute to ensure it stays updated from IDN to AD.
Yes, ISC (Identity Security Cloud) can support this use case through automation and API-driven workflows. While “Provisional Hold” isn’t a native feature, you can implement similar logic by updating a custom identity attribute (e.g., contractEndDate) via API to extend the expiration date. You can use a workflow triggered by manager approval to push the new date to AD via provisioning. This delay prevents immediate deprovisioning, giving managers time to renew access. It’s a practical approach to avoid unnecessary re-creation of accounts for short-term contract extensions.