Deactivate users

Ask the Community
1

Is there a way to programmatically remove a user from all Multipass groups?

What’s the recommended ‘offboarding’ flow for Foundry instances that are managed through Azure SSO?

– More info –

Our deployment is integrated so that users can only log into Foundry through Azure SSO. A user’s Azure AD/Entra groups are automatically detected during login, and these Azure groups are used to automatically place the user into the correct Multipass groups in Foundry.

We are struggling with a user offboarding flow. Since there’s no way to deactivate a user anymore in Foundry (only delete is supported), when an employee leaves the company their user will persist in Palantir as ACTIVE and they will still be a member of various Multipass groups. This will make any reporting based on these groups out-of-date, unless someone manually goes through the process of removing them

My assumptions are:

  1. There’s no way to “deactivate” a user. You can only “delete” users from Palantir

  2. There’s no way to actively ping our Azure active directory on a regular basis to pull a user’s AD groups and permissions.

Of course, if we internally offboard someone from CRB and remove them from any AD groups, they won’t be able to log into Palantir anymore. They would be blocked on login. But until they try to log in again, their user in Palantir would still exist and appear as though they were still part of any permission groups.

2

You cannot manually remove a user from external groups (i.e. those imported from the identity provider or any other group that isn’t manually created in the palantir-internal-realm).

There never was a way to deactivate a user in Foundry (as far as I know).

We are currently working on supporting the SCIM protocol within Foundry and specifically testing with Azure. This protocol allows the identity provider to communicate changes about changes in attributes, group membership and offboarding (deleting users that have been offboarded) so that Foundry stays in sync with Entra. We don’t have an exact timeline to release the feature but we are in the early rounds of testing and fixing some bugs that have arisen.

Also side note - that once they are offboarded in the identity provider, they will no longer be able to log in to Palantir so the fact that they are offboarded cannot currently be communicated to Palantir.

1 Like
3

Replying just to say that this is valuable. I understand that the user would not belong in the AD group, and therefore would not have access to Foundry. But as far as reporting goes, it would be nice if they were removed from other user groups they were added to.

I will be watching for announcements surrounding this! Thanks.