8.4 p2
We are planning to delete identities along with the accounts in SailPoint after certain days of disablements. What should be the best way to take back up of identities for audit purposes.
Has anyone implemented this in your environment?
Thanks
Divya M
Hi @DivyaSubha ,
If identities are deleted after any lifecycle event, you can refer to the audit generated during those events.
If that is not available(or sufficient), the better approach is to take an identity snapshot before deletion and archive the data for audit.
Hello @DivyaSubha ,
The best approach I can think of is to create a sunset workflow and trigger it from your leaver workflow, assuming the account disablement is handled there.
In the sunset workflow, you can write logic to back up the identity on your server (for example, export it as an identity XML file) and then delete the identity. create audit event for reference.
One important point: make sure you delete all associated accounts as well. Otherwise, the identity may get recreated during the next aggregation.
Deleting accounts in the HR source is not a good idea. Instead, set an attribute in your HR system (for example, mark the user as terminated) and use that during aggregation to prevent it from being processed.
Could you please explain your use case in more detail so I can better understand your requirement? how you are disabling the account
You can create a Rule Runner task that will run and filter all the users who is disbaled for a certian days as per your requirement.
Take a list of those users and trigger a delete workflow. In this Workflow write your logic or create a step that performs the audit or user snapshot and store it in DB Table.
Hi @DivyaSubha
Before deleting identities, capture a snapshot (XML/audit data) via workflow or rule and archive it, since IIQ does not retain identity data after deletion.
Hi @DivyaSubha , snapshots will work. It looks like you are on 8.4 so take a look at Access History. That may have the audit data you need as well.
@DivyaSubha Review the Export Object task available in SSD. It has the details about how to extract object as xmls. You can use a similar module, to export the identity and save as xml before deleting the identity.
Hi @kallajayaram What details would be available in the snapshot? Will it hold all the data that we see in the identity cube? like Roles, entitlements, lifecycleevents, access requests, user rights, accounts, risks?
And, Please let me know what the steps are to be followed for restoring the snapshot.
Thanks
Divya M
@DivyaSubha Snapshots hold details about attributes, application account and assigned role/entitlements. IIQ stores the data in different tables. Snapshots or identity xmls will not be able to provide all details.
Could you please specify what exactly is your usecase? When do you want to export and why? In what circumstances you want data to be restored and what is the expectation out of restoration process?