Identity management (IDM), also known as identity and access management (IAM), ensures that authorized people and only authorized people have access to the technology resources they need to perform their job functions.
And access is managed by the user lifecycle state in IdentityNow. Identity Lifecycle State aims to automate and manage the entire digital identity lifecycle process and access throughout the organization.
Identity lifecycle is a set of stages of the identity from the creation to its deactivation or deletion. It contains a creation of an account, assignment of correct groups and permissions, setting and resetting passwords and in the end deactivation or deletion of the account.
Handling the unwanted identities in SailPoint increases the processing time and reduces the usability of the SailPoint tenant. To reduce the process and speed up the work, in tenant only limited and require identities we can handle, handling is easy and processing the limited identities is a less time-consuming process, so we can delete unwanted and terminated users’ identities from SailPoint.
Now, let us have a look at the SailPoint REST API’s used in the Identity deletion process. Below is the list of APIs used for Identity deletion in SailPoint IdentityNow:
- Authentication: This is used to create an access Token (Bearer token).
- Search – Perform Search (v3 API): This is used to fetch the all “30daysPostTermination” or “terminated” lifecycle state identities.
- Identities- Deletes an identity (beta API):this is used to delete the identities from SailPoint tenant.
And here, we will be using A personal access token (PAT) is a method of authenticating to an API as a user without providing a username and password.
Prerequisites for Identity deletion:
- SailPoint REST API’s.
- Client ID and Client Secret.
- IQservice Server.
Now, let us discuss the use case of Identity deletion.
Use Case:
All the identities in the “30daysPostTermination” lifecycle state will be deleted from IdentityNow.
The deleted identities would be re-aggregated in the next aggregation cycle as “Uncorrelated accounts” in target application, and hence would not affect the new hire creation logic and the SAMAccount name would remain unique as per the requirement and the logic defined.
A PowerShell script will be developed to call the APIs to identify all the Identities in the required lifecycle state i.e. “30daysPostTermination” and will delete the accounts from the HRMS Source for all the Identities.
Steps Overview as per the script:
Step1: As part of the PowerShell script first it will read the require details from property file. In property file we can maintain the ClientID, client Secret, base URL, search query, deletion limit, log file path and debug values.
Step2: Authentication API will execute to generate the access token.
Step3: Next Search API will execute and the fetch “30daysPostTermination” lifecycle state identities from SailPoint Tenant.
Step4: One by one Identities will pass to Delete API to delete from SailPoint Tenant.
Let us understand Identity Deletion by using SailPoint REST APIs, use cases and automation of the script via windows task scheduler in the following below presentation:
Advantages of Identities Deletion in SailPoint IdentityNow.
- It will increase the usability of the tenant.
- It decreases the aggregation and identity refresh process time.
- It will fasten the backend processes and reduce the unwanted identity handling.
- Reduce the burden on the tenant.
When a user got terminated or left the organization, all access will be removed, and accounts will be disabled.
Now, let us go through a demo on how we can achieve identity deletion in SailPoint IdentityNow.