Problem

When a user is terminated, the Remove from all groups rule clears all their group memberships.
In some cases, however, the user must retain access to specific groups after termination (for example, to keep a license for document retrieval).

If the main environment is used to assign post-termination licenses, these groups will be removed again on the next sync.

Solution

Create a secondary environment dedicated to post-termination license assignments and use an anchor attribute to identify users who have already been processed by the main environment. Once the anchor is populated, the user is excluded from further group removal in future syncs.

Configuration Steps:

Step 1: Identify the active-user group

Choose a group that includes all active employees.
Example: ActiveUsers

We will use this group later to detect a user termination

Step 2: Create the anchor attribute

Navigate to: Field Mappings → Add (+) → Select an unused AD extension attribute →  Switch to Conditional Expressions.

Example using ExtensionAttribute1:

WHEN 
Employment.EmployeeStatusCode == "T" && RemovedFromGroup("ActiveUsers")
THEN 
"Terminated on " + Employment.DateOfTermination

WHEN 
Employment.EmployeeStatusCode == "A"
THEN 
null

WHEN 
Default
THEN 
Ignore

Purpose
When the user is terminated and removed from ActiveUsers, the anchor is populated.
This marks the user as processed for termination and prevents repeated removal actions. In case of rehires, the attribute is cleared.

Step 3: Configure group removal in the main environment

Navigate to: Group Mappings → Add → Remove from all groups

Use this condition:

Employment.EmployeeStatusCode == "T" && String.IsNullOrWhiteSpace(User.ExtensionAttribute1)

Meaning
Remove all groups only if the user is terminated and the anchor attribute is empty.
This ensures that the group removal action is applied only once.

Step 4: Create the post-termination environment

Navigate to the environment list and click + to create a new environment. Give it a name (e.g., Post-Termination) and select:

Copy from → then select your main environment

This environment will only be used to assign the groups that the user should keep after termination.

Step 5: Add post-termination group mappings

In the new environment navigate to: Group Mappings → Add groups

Use this condition:

!String.IsNullOrWhiteSpace(User.ExtensionAttribute1) && Employment.EmployeeStatusCode == "T"

Meaning
If the anchor has a value and the user is terminated, assign the selected groups.
This ensure the post-termination groups are only applied after the initial termination phase is complete.

Step 6: (Recommended) Clean up the secondary environment

Remove everything not needed:

• Delete all field mappings (except Employee Number, First and Last Name)
• Delete all unrelated group mappings
• Remove notifications

This prevents duplicated or conflicting actions.

Summary

Using a secondary environment with an anchor attribute ensures that terminated users retain only the necessary level of access, fully complying with post-termination policies.

For assistance with configuration, contact support@connecttoad.com.