There are many scenarios that can utilize a policy in which a user account for a connected application is deleted and the Identity Vault account remains. In the Finance scenario, there is a requirement to delete the SAP User account and deprovision the SecureLogin credentials when the User's Identity Vault employeeStatus attribute value is set to āIā. To handle this situation, the SAP User driver's Subscriber Event Transformation contains a policy to transform the modify attribute value into an object delete. Because the Active Directory account name is still needed after the <delete> command is completed, the <operation-data> event needs to be set on the <delete> command so it is available to the SecureLogin deprovisioning policy in the Input Transformation policy.
<operation-data> <nsl-sync-data> <nsl-target-user-dn> cn=GLCANYON,ou=finance,dc=prod,dc=testco,dc=com </nsl-target-user-dn> </nsl-sync-data> </operation-data>
The policy for transforming the <modify> event into a <delete> and creating this element is available in the sample Credential Provisioning policies in the SampleSubEventTransform.xml file. The file is located in the cred_prov folder on the Identity Manager media.