This playbook triggers when an employee whose account is terminated, disabled, or separated attempts to log in with their credentials. User’s identity state in Sail point generally gets updated to disabled on their termination date.

30 days is the ideal time from the termination date for it to get updated to a separated state. You can use business logic in Sail point to delete the RSA accounts and remove the Active Directory (AD) group memberships after 30 days.