Idea ID: 2871765

Extend LDAP / AD Fulfillment options

Status: New Idea

The LDAP / AD Fulfillment connector supports the following fulfillment commands:

  • REMOVE_PERMISSION_ASSIGNMENT
  • ADD_PERMISSION_TO_USER
  • REMOVE_ACCOUNT_PERMISSION
  • ADD_APPLICATION_TO_USER
  • REMOVE_ACCOUNT

When removing an account from AD because it is revoked in a review, the command REMOVE_ACCOUNT is used and this works as expected.

When an Identity loses a business role and therefore the account from AD should be removed, the command REMOVE_APPLICATION_FROM_USER is used and this specific command is not supported by the LDAP / AD Fulfillment connectors.

Although the result in AD is the same, the first example does work and the second one is not. Therefore it is only possible to use business roles to on-board new identities and automatically create an AD account, but it is not possible to off-board identities and automatically remove the AD account again.

The request for this idea is only to also support the REMOVE_APPLICATION_FROM_USER command for these connectors.

Additionally also supporting the command to modify or update an account in AD would make it even nicer, because instead of removing an account, some might prefer to disable it instead.

  • Not supporting these use-cases is one of the reasons IG looks like to be half-baked as an IGA solution...

    It becomes quite complex to explain, design, and setup a full IGA solution where 46% of features are in IG and 54% in IDM, with sometimes more on one side and sometimes more on the other side, depending on which application we are talking to...

    Jacques Forster (IGA architect)