Deprovisioning

Deprovisioning refers to the procedure of revoking an employee's access to your company's systems, applications, and internal data resources. Irancell IAM performs deprovisioning in two scenarios:

1. When the user is deleted from Irancell IAM using the DELETE operation via API or UI.
2. When the user no longer has active entitlements. An active entitlement is one with a valid end date. When the end date of an entitlement is earlier than the current date or the role is deleted from a user, the entitlement is considered inactive, and Irancell IAM sends a DELETE operation to the target system.

If your target system does not allow deleting an object, there are two possible solutions:

• There might be a default provisioning role that can never be deleted from a user. This auxiliary role helps to keep a user's status as active. It is often named a Default Provision User Role. Users can have groups added and deleted, but this role persists, ensuring the user remains active and cannot be deleted.
• There is an option you can set on Managed System attributes - ON_DELETE. Its value can be either DISABLE or UPDATE. If set, the DELETE operation will be replaced by the defined operation when sending data to the connector. If the attribute is not defined, the default behavior is to keep the DELETE operation.

Managed System ON_DELETE

Deprovisioning puts an identity into an inactive status. This means that subsequent changes will not be reflected in the target system for the identity that has been deprovisioned. Irancell IAM does not send any updates to the connector or the target system for inactive identities.