A potential customer would like to use an identity source that is actually a database view containing only active identities. It is not possible to add historical records or an identity status to this view.
On boarding goes well, new identities result in new role members and fulfillment.
Off boarding is quite hard in this case. The off boarded identities does not show up in the view.
After a new collection and publish, the identity is not in IG anymore.
The accounts that belong to this identity are orphaned and need to be removed manually or via a review.
Is it possible, for this use case, to act on missing identities after collecting/publishing?
This can be an automatic report showing all missing identities, or a fulfillment action for the accounts and permissions.
Not sure if this should be automatic, resulting in a lot of removed users when a collection fails and collects zero identities...
Maybe just keep the off boarded identities visible with their corresponding accounts and tag them as deleted.
Then you can start reports or fulfillment on those 'ghost' identities, instead of on all the orphaned accounts.
If the collection went wrong, fix it and the 'ghost' identities become 'normal' again.
This approach makes it easier to connect to identity sources that are more basic, like database views.
by: Michiel P. | over a year ago | Other
Comments
The University of Michigan has a similar need. In our case, we would want to deprovision permissions for identities that disappear so that permissions are removed from applications.