Understanding Rescinded Users

A rescinded user occurs when an employee is expected to join an organization but fails to show up on their designated start date. This situation differs from standard termination scenarios because the employee never actually began work, yet their identity may have already been provisioned with accounts and access in preparation for their arrival. Organizations must properly handle these scenarios to prevent security vulnerabilities and maintain clean identity data.

The rescinded status typically originates from HR systems like Workday when hiring managers or HR personnel mark an offer as canceled or rescinded. Unlike normal terminations, rescinded users present unique challenges because they may have pre-provisioned access that needs immediate revocation despite never actually working for the organization.

Rescinded User Attributes

SailPoint's Workday connector supports several key attributes for handling rescinded users effectively:

• IS_RESCINDED: Boolean flag indicating whether a hire was rescinded

• RESCINDED_DATE: Timestamp when the rescission occurred

• RESCINDED_DESCRIPTION: Text description providing the reason for rescission

• HIREDATE: Original hire date for correlation purposes

• FUTURE_ACTION: Planned action (hire/termination)

• FUTURE_DATE: Scheduled date for the action

Workday Source Configuration

To properly handle rescinded users, organizations must configure their Workday source with specific aggregation settings

json

{ "name": "Workday Source Configuration", "connector": "workday", "connectorAttributes": { "aggregateRescindedFutureHires": true, "aggregateRescindedPastHires": true, "pastRescindedOffset": 60, "effectiveDateOffset": 14 } }

Aggregate Rescinded Future Hires: This setting enables aggregation of future-dated rescinded hire records, maintaining the account link for users whose hire dates have not yet passed but whose offers have been rescinded.

Aggregate Rescinded Past Hires: This configuration retains information for rescinded past hires to support leaver workflows, ensuring that users who were rescinded after their expected start date are properly processed.

Past Rescinded Offset: Specifies the number of days in the past to aggregate rescinded hires, with a default value of 60 days. To fetch rescinded past hire data, the worker's hire date must fall within this offset range.

Effective Date Offset: Determines how many days in advance to aggregate future hires and terminations, typically set to 14 days

Schema Configuration

The Workday connector requires specific schema attributes to be added for rescinded user functionality

xml

<AccountAttribute name="IS_RESCINDED" type="string" schemaObjectType="account"/> <AccountAttribute name="RESCINDED_DATE" type="string" schemaObjectType="account"/> <AccountAttribute name="RESCINDED_DESCRIPTION" type="string" schemaObjectType="account"/>

These attributes must be properly mapped using XPath expressions in the Workday connector configuration to ensure accurate data aggregation.

Identity Lifecycle State Management

Lifecycle State Configuration

Organizations should create a dedicated "Rescinded" lifecycle state to properly handle these users. This lifecycle state should be configured with specific provisioning policies:

json

{ "name": "Rescinded", "enabled": true, "emailNotificationOption": { "notifyManagers": true, "notifyAllAdmins": false, "emailTemplateId": "rescinded-notification-template" }, "accessProfileIds": [], "accountActions": [ { "action": "DISABLE", "sourceIds": ["all"] } ] }

Lifecycle State Transforms

Identity transforms play a crucial role in automatically detecting and processing rescinded users. The following transform example demonstrates how to evaluate rescinded status:

json

{ "name": "Rescinded User Lifecycle State", "type": "static", "attributes": { "isRescinded": { "attributes": { "values": [ { "attributes": { "attributeName": "IS_RESCINDED", "sourceName": "Workday" }, "type": "accountAttribute" }, "false" ] }, "type": "firstValid" }, "terminationDate": { "attributes": { "attributeName": "TERMINATION_DATE", "sourceName": "Workday" }, "type": "accountAttribute" }, "value": "#if($isRescinded.equals('true'))rescinded#elseif($terminationDate)terminated#else active#end" } }

This transform uses Apache Velocity template syntax to evaluate the IS_RESCINDED attribute and set the appropriate lifecycle state.

Automated Processing Workflows

Workflow Configuration

SailPoint workflows can automate the entire rescinded user processing pipeline. The following workflow structure handles rescinded users comprehensively

json

{ "name": "Handle Rescinded User Workflow", "type": "WORKFLOW", "trigger": { "type": "EVENT", "attributes": { "id": "idn:identity-attributes-changed" } }, "steps": [ { "name": "Check if User is Rescinded", "type": "CONDITION", "condition": "$.trigger.changes[?(@.attribute == 'cloudLifecycleState' && @.newValue == 'rescinded')]" } ] }

Access Revocation Process

When a user is identified as rescinded, SailPoint must systematically revoke all provisioned access. This includes:

Role Revocation: All assigned roles, except birthright roles, should be removed from the rescinded identity. Organizations can configure automatic role removal through lifecycle state provisioning policies or custom workflows.

Entitlement Revocation: Direct entitlements granted to the user must be revoked to prevent unauthorized access. This process should bypass normal approval workflows for emergency security purposes.

Access Profile Removal: Any access profiles assigned to the user should be systematically removed. The revocation process should target only requestable access profiles while preserving any system-generated birthright access that may be required for audit purposes.

Account Disablement Strategy

Rescinded users require immediate account disablement across all connected sources. The disablement process should follow these principles:

Immediate Action: Account disablement should occur as soon as the rescinded status is detected, without waiting for standard approval processes.

Comprehensive Coverage: All accounts linked to the rescinded identity should be disabled, including Active Directory, cloud applications, and privileged access systems.

Audit Trail: Each disablement action should be logged with appropriate justification referencing the rescinded status.

Technical Implementation Examples

Transform Implementation

The following transform demonstrates comprehensive rescinded user detection:

json

{ "name": "Check Rescinded User Status", "type": "static", "attributes": { "isRescinded": { "attributes": { "attributeName": "IS_RESCINDED", "sourceName": "Workday" }, "type": "accountAttribute" }, "hireDate": { "attributes": { "attributeName": "HIREDATE", "sourceName": "Workday" }, "type": "accountAttribute" }, "activeFlag": { "attributes": { "attributeName": "ACTIVE", "sourceName": "Workday" }, "type": "accountAttribute" }, "value": "#if($isRescinded == 'true')rescinded#elseif($activeFlag == '1')active#else inactive#end" } }

BeanShell Script Processing

For organizations using SailPoint IdentityIQ, BeanShell scripts can provide advanced rescinded user processing capabilities:

java

// SailPoint BeanShell Script for Rescinded User Processing import sailpoint.object.*; import sailpoint.api.*; import java.util.*; public String processRescindedUser(Identity identity, SailPointContext context) { // Get the IS_RESCINDED attribute from Workday source Link workdayLink = identity.getLink("Workday"); if (workdayLink == null) { return "No Workday link found"; } String isRescinded = (String) workdayLink.getAttribute("IS_RESCINDED"); String rescindedDate = (String) workdayLink.getAttribute("RESCINDED_DATE"); String hireDate = (String) workdayLink.getAttribute("HIREDATE"); if ("true".equals(isRescinded)) { // Set lifecycle state to rescinded identity.setAttribute("cloudLifecycleState", "rescinded"); // Log the rescinded action log.info("Identity " + identity.getName() + " marked as rescinded. Hire date: " + hireDate + ", Rescinded date: " + rescindedDate); // Disable all accounts List<Link> links = identity.getLinks(); for (Link link : links) { if (!link.getApplication().getName().equals("IIQ")) { link.setAttribute("IIQDisabled", true); context.saveObject(link); log.info("Disabled account: " + link.getNativeIdentity() + " on " + link.getApplication().getName()); } } // Remove all assigned roles (except birthright) List<Bundle> assignedRoles = identity.getAssignedRoles(); if (assignedRoles != null) { for (Bundle role : assignedRoles) { if (!role.getType().equals(Bundle.Type.BIRTHRIGHT)) { identity.remove(role); log.info("Removed role: " + role.getName() + " from identity " + identity.getName()); } } } context.saveObject(identity); return "Rescinded user processed successfully"; } return "User is not rescinded"; }

REST API Integration

Organizations can leverage SailPoint's REST APIs for programmatic rescinded user management:

javascript

// Search for rescinded identities GET https://{{tenant}}.api.identitynow.com/v3/search { "indices": ["identities"], "query": { "query": "attributes.cloudLifecycleState:rescinded" } } // Update identity lifecycle state PATCH https://{{tenant}}.api.identitynow.com/v3/identities/{{identityId}} { "op": "replace", "path": "/attributes/cloudLifecycleState", "value": "rescinded" } // Revoke all access for rescinded user POST https://{{tenant}}.api.identitynow.com/v3/access-requests { "requestType": "REVOKE_ACCESS", "requestedFor": ["{{identityId}}"], "requestedItems": [ { "type": "ROLE", "id": "{{roleId}}", "comment": "Access revoked due to rescinded status" } ] }

Identity Processing Thresholds

Organizations should implement identity processing thresholds to prevent mass rescinded user processing from overwhelming the system. These thresholds can be configured as:

Fixed Number Threshold: Limit the number of rescinded users processed in a single batch to prevent system overload.

Percentage Threshold: Set a percentage-based limit relative to the total identity population to detect potential data feed errors.

Time-Based Processing: Implement delays between rescinded user processing batches to ensure system stability.

Notification and Communication

Stakeholder Notifications

Rescinded user processing should trigger appropriate notifications to relevant stakeholders:

HR Teams: Notify human resources teams when rescinded users are processed to ensure proper documentation and compliance.

IT Security: Alert security teams about rescinded user account disablements for monitoring and verification purposes.

Manager Notifications: Inform the designated manager about the rescinded status and subsequent access revocations.

Email Template Configuration

Organizations should create specific email templates for rescinded user notifications:

json

{ "name": "Rescinded User Notification", "subject": "Employee Rescinded - Access Revoked", "body": "Employee {{identity.name}} ({{identity.email}}) was marked as rescinded on {{rescindedDate}}. All access has been automatically revoked and accounts disabled.", "recipients": ["hr@company.com", "security@company.com"] }

Best Practices and Considerations

Security Implications

Rescinded users present significant security risks if not handled properly. Organizations should consider:

Immediate Processing: Rescinded users should be processed as quickly as possible to minimize security exposure.

Comprehensive Cleanup: All traces of provisioned access should be removed, including cached credentials and session tokens.

Audit Requirements: Maintain detailed logs of all rescinded user processing activities for compliance and security auditing.

Data Retention Policies

Organizations must balance security requirements with data retention needs:

Identity Deletion: Consider whether rescinded identities should be deleted entirely or marked as inactive.

Historical Data: Maintain sufficient historical data for audit and compliance purposes while removing active access.

Correlation Prevention: Prevent future account correlation for truly rescinded users to avoid accidental access restoration.

Integration Challenges

Common challenges in rescinded user handling include:

Timing Issues: Ensure that rescinded status detection occurs before significant access provisioning.

Data Synchronization: Maintain consistency between HR systems and SailPoint regarding rescinded status.

Exception Handling: Implement proper error handling for cases where rescinded user processing fails.

Monitoring and Reporting

Key Metrics

Organizations should track several key metrics related to rescinded user processing:

Processing Time: Monitor how quickly rescinded users are detected and processed after status changes.

Access Revocation Completeness: Verify that all access is successfully revoked for rescinded users.

System Impact: Track the performance impact of rescinded user processing on overall system operations.

Reporting Requirements

Regular reporting on rescinded user activities supports compliance and security governance:

Monthly Summaries: Provide monthly reports on rescinded user volumes and processing effectiveness.

Audit Reports: Generate detailed audit reports showing all actions taken for each rescinded user.

Exception Reports: Identify and report on any rescinded users that could not be fully processed.

Troubleshooting Common Issues

Aggregation Problems

Common issues with rescinded user aggregation include:

Missing Attributes: Ensure that IS_RESCINDED and related attributes are properly configured in the account schema.

Offset Configuration: Verify that Past Rescinded Offset values are appropriate for organizational needs.

XPath Mapping: Confirm that XPath expressions correctly map rescinded attributes from Workday.

Processing Failures

When rescinded user processing fails, consider:

Workflow Errors: Review workflow logs for errors in rescinded user processing steps.

Transform Issues: Validate that lifecycle state transforms correctly evaluate rescinded conditions.

API Limitations: Ensure that API calls for access revocation are properly formatted and authorized.

Performance Considerations

Large volumes of rescinded users can impact system performance:

Batch Processing: Implement batch processing for multiple rescinded users to improve efficiency.

Resource Allocation: Ensure adequate system resources for rescinded user processing during peak periods.

Queue Management: Monitor processing queues to prevent backlog buildup during high-volume rescinded user events.

This comprehensive guide provides organizations with the knowledge and tools necessary to effectively handle rescinded users in SailPoint environments. Proper implementation of these practices ensures security, compliance, and operational efficiency when dealing with employees who fail to show up for their expected start dates