When we have a requirement like below for user Deprovisioning
On Lastday - Disable the AD account
On Day 7 - Remove all groups on AD Account
On Day 21 - Delete the AD Account
Design:
1)TermDisable LCS - set to “Disable Accounts” and choose AD source
2)TermEntitlRemove LCS - set to “Enable Accounts” and choose AD source. Use “BeforeProvisoningRule” to disable account and remove all AD groups
3)Terminated LCS - set to “Enable Accounts” and choose AD source. Use “BeforeProvisoningRule” to Delete AD Account
This works well if the Identity is moving from “Active” → “TermDisable” → "TermEntitlRemove " → “Terminated”
However it doesn’t handle the below scenarios:
“Active” → "TermEntitlRemove "
“Active” → “Terminated”
“TermEntitlRemove” → “Active” (when employee comes back with in a week)
Since Account configuration option is set to “Enable Accounts” in “Active” , “TermEnRemoved” , “Termianted” LCS, it will not trigger any provisioning events/plan for above scenarios.
Source configurations are set to Enable accounts in both of these LC states. Do you still see provisioning process being triggered during this LCS change?
1)TermDisable LCS - Disable AD account using identity profile provisioning config
2)TermEntitlRemove LCS - Update AD description attribute after 6 days, enable sync for description attribute and write logic in BP Rule for AD Group removal based on description.
3)Terminated LCS - Update AD description attribute after 20 days, enable sync for description attribute and write logic in BP Rule based on description to delete AD account.
If you have workflows in your tenant (As it is licensed), you can build same logic there as well.
@iamnithesh , Sorry, I meant → Terminated LCS - set to “Disable Accounts”. Either way, the overall issue remains the same (Now it won’t trigger provisioning if we move between “TermDisable” LCS to “Terminated” LCS.
@MVKR7T, Are you suggesting using an “Attribute sync” to trigger provisioning plan/event ? Since IDN started supporting real-time event-driven attribute sync and it’s no longer twice a day, are you recommending this solution?
Yes, we have workflow enabled in our tenant but since this is deleting account in AD source, i don’t think its supported through a workflow.
When your HR source aggregation completed, then identity profile gets refreshed, which will trigger the attribute sync. Isn’t that enough for your requirement ?
@iam_nithesh , So these are edge cases and don’t happen frequently. We want to be prepared and be ready to support if we run into below 3 scenarios:
“Active” → "TermEntitlRemove " (This is when we get a request to disable AD account and remove all AD groups.)
“TermDisable” → “Terminated” (Employee’s AD account is already disabled due to Termination. We got a request to directly delete the account and skip remove entitlement step)
“TermEntitlRemove” → “Active” (when an employee return with in a week of termination)
@MVKR7T ,Yes. I’m also thinking of getting rid of “TermEntitlRemove” LCS and “TermDisable” LCS. Just use “Terminated” LCS to disable the account on the last day of termination.
And create a new Identity attribute called “PostTermStatus” and use transform to:
Update “PostTermStatus” value to “TermEntitlementRemove” → if “Employee status is Term” and “Last date of work is greater than 7 days”
Update “PostTermStatus” value to " TermAcctsDelete" → if “Employee status is Term” and “Last date of work is greater than 21 days”
And use “PostTermStatus” to attribute sync with AD source extension Attribute. Now use BP to update plan and take necessary action.
I suggest updating your OP to reflect this.