Source option for Disabling the account Deletion - how to detect such disconnected identities via API or Rule/Transform/WF?

There is an option for most IDN sources to keep an identity if the linked account in the authoritative source disappeared. It is a quite useful IAM solution option for some legal or company policy requirements when there is a need to keep the old employee records for a few years.
In a case of IdentityNow current version it has been realized as a static account source record with a fake link to the original record in a source (that obviously does not exist).

A real big question: how to detect such disconnected identities in IdentityNow? They have no visible flags or attributes if they are disconnected from the authoritative source, nor they have any hidden identity attribute status I can discover in any API query.
How to detect in IDN such identities using any methods that available for developers - WF query, events, Rules, transforms, API calls including beta and v1 CC?

1 Like

Has anyone figured this out yet?

We passed on the disable deletion because of that very reason, there is no indication of identity deletion. On the other hand a widowed account implies that it was correlated but the Identity was deleted/removed before the correlated accounts were handled. We were going to look at Workflows to see if we could intercept the deletion before it processes and handle any accounts. We donā€™t have workflows in production so havenā€™t investigated. The other options we are considering is to perform Uncorrelated certifications to the source owner or have Triggers generate SNOW tickets upon a delete event.

Let us know if anyone finds a solution.

1 Like

Hi Brad,
We are continuing to use that nice IDN source feature.

We had to add two additional custom identity attributes to the identity schema like boolean ā€˜isAliveā€™ ,and dateTime string like ā€˜lastTimeInAuthoritativeSourceā€™, populated via an additional ā€˜Helperā€™ plain text connector that is managed directly from an external script with API calls.
Both attributes are pre-calculated in a script comparing IDN user ID list with last available authoritative source user id list and set 1st attribute to true/false, and add dateTime to the second.

The same script is responsible to delete a ā€˜widowā€™ identity from IDM when there is more than some period after XXZZ (say after 180 days) using private API : https://[tenant]

I hope this helps.


1 Like