Role or Access Profile not getting removed on termination if it is assigned not as a part of birth right

Amrit1897 · April 9, 2025, 8:21pm

Role or Access Profile not getting removed on termination if it is assigned not as a part of birth right. Because of which new accounts gets created. Basically on one of termination lifecycle state we delete the AD account but as the entitlement under access profile->role exists it again creates the account. Is anything possible via OOTB that can prevent account creation or role can be removed directly?

KevinHarrington · April 9, 2025, 9:20pm

You need a workflow to revoke all roles and entitlements upon termination. It’s baffling to me that this is how the product works, but it’s what we’re stuck with.

Try this: Workflow to remove ALL leavers’ standing access - Identity Security Cloud (ISC) / ISC Community Knowledge Base - SailPoint Developer Community

vkashat · April 10, 2025, 3:49pm

You can add logic in the role assignment that a user must have a cloudLifecycleState of “active” or whichever lifecycle state you use for active users.

IIQUserOnCompass · April 10, 2025, 5:14pm

Ideally, in conjunction with the Role assignment logic for birthright / automatic assigned roles, if identity profile states have a configuration point for: “Add / Remove requestable access item by search filter”, that would be perfect.

Missing some IGA maturity use cases OOTB…and have to be custom developed.

#Tired of the IDEAS portal

Like, there’s already ability to statically specify what AP to grant…but that’s static. That portion of functionality should have included Grant / Revoke of Role/AP/Entitlement that are statically / dynamically (by filter/query) specified. That would have been the [relatively more] “complete” feature.

dpowers1 · April 10, 2025, 5:43pm

You would need the logic in the role assignment. We roles created and if the users lifecycle state is inactive then it removes them from the AD group associated with that role

IIQUserOnCompass · April 10, 2025, 6:04pm

The OP’s statement of “assigned not as a part of birth right” throws any role assignment logic out the window.

vkashat · April 10, 2025, 8:09pm

I guess I’m confused as to how an entitlement would be sticky if it’s not part of a role?

markomanium · April 13, 2025, 8:41pm

I think if entitlement/access profile/role is gained via access request, it will be “sticky”.

mostafa_helmy · April 18, 2025, 1:25pm

FYI, there is an enhancement planned for later this year to add this to the standard Lifecycle state functionality, which will make this way easier than it is today.

I’d suggest you vote for this idea & add some comments about your expected behavior.
https://ideas.sailpoint.com/ideas/GOV-I-880

vishal_kejriwal1 · April 18, 2025, 1:48pm

What is your process you follow to remove roles ? Are you looping over each entitlement ? if yes this will not work out because roles are sticky.

you can try generate the access review process for terminated identity and auto revoke the access .