Hi Team,
We have requirement to restore the all applications access which user terminated below 10 days. We need to provide the access what user had at the time of disable for all applications..any suggestions please
The approach depends on your existing termination process. If the termination process is to disable a user account and revoke all access immediately which is a quite common practice—and then permanently delete the account after X days, you have two main options for supporting future reactivations:
- Capture an audit snapshot at termination. Enhance the termination task so it logs an audit record listing every application and entitlement the user held just before deactivation.
- Persist the snapshot in a custom object. Store the same access profile in a custom object linked to the user. When a re‑hire occurs, the reactivation process can read that object and automatically reprovision the recorded access set.
both method provides a way to record of the user’s prior entitlements, making reactivation straightforward and auditable.
You can create a custom table to store identity snapshot during leaver and run a task to delete stored identity snapshots which are 15+days old. so you can use the identity snapshots to restore the user access if the users returns on or before 15 days from termination.
You can use snapshot too and like other approaches, it does require custom implementation, dont think its an OOTB however it has been part of AP in the past, so look there for reference.
If you are not removing the access (entitlements) on termination and removing access after 5 days or any other day than the one when you need to restore the access then just enable the account then it would work.
If you are removing as soon as you disabling the account then it would beat to create snapshot before termination and access removal and on rehire / reinstate of user lookup for the latest snapshot and restore the access.
Another way you can achieve is using the access history table as well.
Other options you already see others member have responded like using custom object , custom table etc.
The approach really depends on current termination process and how much additional changes you willing to do.
We do have same requirement .
As the part of termination process 1st step is is we take the snapshot of the identity and this snapshot we use for the restoration of the access .
though I really don’t like this complicated process rather i would prefer that as part of the termination process disable the accounts and remove the high privilege access and in case if user need to be restored these account can be enabled and if they need any high privilege access those can be requested back.
Thanks for the information
We are removing the entitlements so is there any chance to restore it back because user had the lot of entertainments in many applications