How do you avoid orphaning users in IDCS when deprovisioning roles in EPM (via Restapi)?
We are building a scim-like automation to provision and deprovision users and roles in EPM.
EPM by default has a number of instances all pointing to a single IDCS instance. Per documentation, removing a user is something that would happen once they have been deprovisioned from all roles in all EPM environments. It appears that you should not remove a user while removing their last role, because that user could have a role in a different environment. But in the case of employee terminations, we do want a way to make sure the user is removed eventually.
I will cover some creative integrations we thought about below, and why they are not ideal. Here are the questions I am looking for an answer to: