You have got to think this would be easy enough but there are many ways to do this in SailPoint. You could do it via the leaver event or you could do it via the Target application. I will use both.
The Leaver event cause the linked account in SailPoint to be disabled. This will trigger an IIQDisabled process that will disable the account in AD.
1/ Edit the OOB Leaver event
2/ Select Attribute change
3/ select your HR EmployeeStatus attribute which you should have defined in your Identity cube as searchable.
4/ Enter the HR exit value (Terminated or Inactive) for the after value.
5/ Change the value in HR from Active to say Terminated and the AD account will be disabled.
Somethings to note
A/ This is a one time event and not an enforcement. if the account is manually re-enabled in AD, SailPoint will not change it back.
B/ This will disable ALL linked accounts to the Identity. If you have several applications connected to SailPoint, they will all be disabled. If you want only AD to be disabled then some extra steps need to done.
The Target Mapping method in the Identity cube will push the 514 code to the UserAccountControl attribute in AD causing a disable of the account.
1/ Edit the EmployeeStatus attribute in the Identity cube
2/ select Target Mappings
4/ Select the AD Application
5/ Select the userAccountControl attribute
6/ Select transformation rule: Enter this code
//get the employeeStatus-Inactive represents Exit
String myemployeestatus = identity.getAttribute(“EmployeeStatus”);
7/ Save and run refresh identity
Somethings to note about the Target Mappings
A/ If someone re-enables direct in AD, then after AD aggregation, refresh the account will be disabled again in AD.
B/ It does not disable the AD linked account in SailPoint.