We have a Web service based connector wherein the entitlements are being provisioned via the SailPoint roles (ABAC).
In cases when the account is disabled in the app itself, since the user is assigned the role, the account is reactivated in the app.
How can these entitlements be removed for users in case of :
Leavers (when user is terminated) i.e. lifecycle state inactive
movers (when user switches departments)
You need to update the Role Assignment Criteria to exclude identities in these lifecycle states
You can use the Source attribute ( it could be something like Status ,isActive / Active / Enabled etc ) in the assignment criteria to remove the role once account is deactivated . Also you can add additional condition where you can add the user LCS in assigmnet criteria.
Or you can either configure workflow to remove all roles for terminated lifecycle users that will ensure to remove requestable roles as well.
@shreyas_nitturkar use this new feature to remove all roles from the user once it gets terminated
Thanks
Shantanu
Thanks @schattopadhy . This doesn’t seem to work. I updated the lifecycle state and still could see roles and entitlements assigned to the identity
@shreyas_nitturkar are you getting any event logs ?
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
