The LDAP / AD Fulfillment connector supports the following fulfillment commands:
- REMOVE_PERMISSION_ASSIGNMENT
- ADD_PERMISSION_TO_USER
- REMOVE_ACCOUNT_PERMISSION
- ADD_APPLICATION_TO_USER
- REMOVE_ACCOUNT
When removing an account from AD because it is revoked in a review, the command REMOVE_ACCOUNT is used and this works as expected.
When an Identity loses a business role and therefore the account from AD should be removed, the command REMOVE_APPLICATION_FROM_USER is used and this specific command is not supported by the LDAP / AD Fulfillment connectors.
Although the result in AD is the same, the first example does work and the second one is not. Therefore it is only possible to use business roles to on-board new identities and automatically create an AD account, but it is not possible to off-board identities and automatically remove the AD account again.
The request for this idea is only to also support the REMOVE_APPLICATION_FROM_USER command for these connectors.
Additionally also supporting the command to modify or update an account in AD would make it even nicer, because instead of removing an account, some might prefer to disable it instead.