We have LCS configured in our environment. If the user’s LCS is moved to inactive, we have a list of sources which need to be disabled. There are cases where some accounts are re-enabled in the target directly. So I can see the LCS to be inactive but the accounts showing as enabled. How can I force IdentityNow to re-evaluate the LCS, so that it will make the accounts back to disabled?
Rajesh, there’s not a way that I’m aware of to do this. What you’d want to do is setup a scheduled search that shows you inactive identities with active accounts in the desired sources. Then you could circle back to the identity and re-disable the account.
While this may not be desirable, depending on what your various Lifecycle States do, you can manually toggle the Lifecycle State on the Identity. In the past, we have toggled someone to Active, let it process, and then back to Inactive and let it do its thing again. Only an admin can do this.
@rajeshs you could try leveraging the workflows to trigger on the change of LCS inactive. There’s a workflow template available called “Remove Access When an Identity Becomes Inactive”
I would consider this as a flaw in the Business Process. If a source is managed by IDN to enable or disable accounts, then manually changing this attribute should not be allowed.
However, a solution to this that I can think of is creating another LCS type (say forceDisable) and LCS is set to this value when the LCS in IDN is inactive and and account attribute from source is active and set the same accounts to be disabled under this new LCS type.
How about creating identity attribute status for each and every source you need to disable.
For example, ADStatus which holds UAC value 512/514 and enable the attribute sync.
For every Identity Profile refresh, sync will be triggered if there is a change in value.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.