We need to configure a use case where if a user is disabled in IAM a specific endpoint account will be deleted.
I found in the documentation that by removing the corresponding provisioning role from the global user, IAM automatically deletes the associated account. I tested it, but it's not working. Am I missing something ?
Release : 14.x
Component : IdentityMinder(Identity Manager)
In order for an account to be deleted from the endpoint itself, we have to have the proper settings in place.
In this example, the ADS endpoint settings is configured with specific deleting options for the account to be deleted from both Provisioning side as well as the endpoint itself.
Once this is confirmed, there can be other causes for the account not to be removed.
For example, if the original account was created, as per Account Template, under a certain OU but later moved, an attempt to remove the account will fail as Provisioning Server, by default, would be looking only under the specific OU set by the Account template. In case the account is no longer in the original OU, we should have the following settings.
Synchronization/Force single account across multiple containers set to ActiveDirectory
as well as Synchronization/Use Existing Accounts set to Yes