Versions Compared

Old Version 3

changes.mady.by.user Patrick Parker

Saved on

compared with

New Version 4

changes.mady.by.user Patrick Parker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EmpowerID provides organizations the ability to automate the disabling and eventual deletion of EmpowerID Persons and all user accounts linked to those Persons based on the value of the ValidUntil attribute set on those Personsattribute values causing the people to match pre-defined Query-Based Collections used for this purpose. The most common attribute used is ValidUntil which typically comes from the HR system. This type of termination automation, known as the "Advanced Leaver" or "Planned Leaver" event differs from unplanned Leaver events, which are typically performed by an administrative user via the EmpowerID web user interface.

The Leaver process is when a person’s relationship with an organization comes to an end. The Leaver is the most security-sensitive event as the IAM system must ensure that all access is removed in a timely manner. An unplanned Leaver event can be initiated manually using one of the Terminate Person workflows. These workflows mark the Person object as deleted and trigger a reevaluation of the RET policies leading to account deletions or disables.

More commonly, Leaver events are triggered based upon changes to a person’s ValidUntil date flowing to their person object from the authoritative HR system through the HR connector.

EmpowerID provides a configurable “Advanced Leaver” process that relies on a permanent workflow named “SubmitPersonTerminations” which then calls a child flow chart workflow named “TerminatePersonAdvanced”.

...

  1. The SubmitPersonTerminations permanent workflow runs continuously and calls the Person.GetPendingTerminationNotProcessed stored procedure to grab all person objects where ValidUntil IS NOT NULL AND  ValidUntil < GETUTCDATE() AND TerminationBusinessProcessTaskID  IS NULL  AND Deleted =0 AND IsNull(PersonOrganizationStatusID, -1) <> 8grabs all person objects in the “LeaverTerminationPreTerminationSetGroup” Query-Based Collection. Notifications are sent out based on the matching person records and configured email notifications and templates.

  2. The SubmitPersonTerminations permanent workflow runs continuously and grabs all person objects in the “LeaverTerminationPeopletoTerminateSet” Query-Based Collection. Notifications are sent out based on the matching person records and configured email notifications and templates.

  3. For any person objects matching these criteria, it disables the Person and all of their user accounts. It also sets the Person Organization Status to 8, “Termination Pending”.

  4. Next, for any Person objects where their ValidUntil has expired a greater number of days ago than the configurable "PersonTerminationGracePeriod" EmpowerID System setting, they are submitted into the “TerminatePersonAdvanced” workflow using the configured initiator identity – “TerminatePersonAdvancedInitiator” set as a an EmpowerID System setting.

...

  1. As a last step in the permanent workflow logic, it calls the Custom_Person_GetPendingTerminationNotProcessedPendingTermination stored procedure retrieves all people in the “LeaverTerminationPeopletoReactivateSet” Query-Based Collection to get any person objects matching the reactivation criteria. These criteria are typically as follows: ValidUntil IS NOT NULL AND ValidUntil > GETUTCDATE() --AND TerminationBusinessProcessTaskID  IS NULL  AND Deleted =0 AND IsNull(PersonOrganizationStatusID, -1) = 8 --AND TerminationDate IS NULL

  2. For any person matching these criteria, it enables the person and all their accounts then sets the Person Organization Status to 1 “Active”.

  3. If the ValidUntil date is corrected in the HR system or on the Person object before the grace period expires, the permanent workflow will enable the person, their accounts, and set the Person Organization Status back to 1, “Active”.

...

  1. Trigger – leaver is detected

  2. Person status is set to ‘pending termination’

  3. Once the grace period has elapsed, person status is set to ‘Terminated’

In the initial implementation, EmpowerID will only terminate the identity (person) within EmpowerID. Any action on the accounts in the external systems such as disablement/deletion, access removal, password reset will be designed and configured as write-back to target systems is authorized.

SubmitPersonTerminations Permanent Workflow

TerminatePersonAdvanced Workflow

Image Added

Page to view Pending Leavers and Terminated People

View file
name3f9a95a9.wav