Hello everyone - This is not exactly related to Active Directory, but I having this issue for Active Directory so mentioned specifically for AD.
When lifecycle state changed to Inactive - ISC is diabling the AD account and moving user to specific OU and removing all groups. all well till here.
Now AD account is disabled directly on source, and now next day user lifecycle state is changed to inactive - in this case ISC is not touching the User’s AD account as in ISC User’s AD account is already disabled. Is there any way we execute the beforeprovisioning rule to move the user to specific OU and remove groups?
configure sync for the LCS value with an Active Directory attribute. In the event of a termination, this value will be updated in Active Directory, triggering a modification operation and executing the beforeprovisioning rule.
Hi @singlde,
Do you have any birthright roles that are revoked when a user moves to an inactive LCS, or any workflow in place to remove roles under that condition? If so, that action will automatically trigger the Before Provisioning rule, where you can handle it based on specific conditions.
Let me know if you’d like further clarification.
Thanks,
Ujjwal
I’m a bit unclear about one part — as you mentioned, when the lifecycle state (LCS) changes to ‘Inactive’, the account is already being disabled, moved to the specific OU, and group memberships are removed. Could you clarify why you’re asking specifically about moving the account and removing access again? If you could share more details about your use case or the scenario you’re trying to handle, I’d be happy to help further.
How you are making changes to user ( example disable , move and remove all groups ) using standard before provisiong rule ?
Do you mean to say Before Provisioning rule will be triggered even if access gets removed because of assignment criteria of role not matching?
Yes, since the criteria are no longer satisfied, those entitlements will be revoked, and that will, in turn, trigger provisioning.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.