| Note |
|---|
EmpowerID provides the Planned Leaver Events (Advanced Termination) feature for backward compatibility. However, we recommend using No Code Flows for managing new leaver events more efficiently. Leaver tasks are often a series of complicated tasks that require scheduling within specific timeframes. No-code flows offer a secure solution to this challenge by enabling administrators to design, manage, and enhance intricate workflows without traditional coding. To learn more about this advanced approach, please refer to our detailed documentation here Overview of No Code Flows. |
EmpowerID allows organizations to automate the disabling and eventual deletion of EmpowerID Persons and all user accounts linked to those Persons based on the value of the ValidUntil attribute set on those Persons. This type of termination automation, known as the "Advanced Leaver" or "Planned Leaver" event, differs from unplanned Leaver events, which an administrative user typically performs via the EmpowerID web user interface.
Configuring EmpowerID to implement planned Leaver events involves the following tasks:
Creating an EmpowerID Person as the TerminatePerson Advanced Workflow Initiator – The EmpowerID system uses this workflow to terminate all people submitted. As a best practice, the Person account you use should not belong to an actual EmpowerID user.
Configuring Planned Leaver System Settings – These settings allow you to select the Person Object responsible for initiating the TerminatePersonAdvanced workflow and customize other settings involved in the advanced termination process.
Enabling the SubmitPersonTerminations permanent workflow – When enabled, this workflow runs in a continuous loop, executing once every five minutes to terminate all people with a ValidUntil expiration that has passed the number of days specified by the PersonTerminationGracePeriod system setting.
Create the TerminatePersonAdvanced workflow initiator
On the navbar, expand Identity Administration and click People.
Click the Create Person Simple Mode action.
This opens the Create Person Request form.
Fill in the fields of the form with the following information:
First Name and Last Name – Enter the first and last name of the Person you are creating. It is recommended that you choose a name that identifies the purpose for this person, such as "Planned Leaver" or something similar.
Email – Optional
Personal Email – Optional
Primary Role and Location – Below Primary Business Role and Location, click the Select a Role and Location link, and in the Role and Location Selector that opens, do the following:
Search for and select the appropriate Business Role for the person.
Click the Location tab.
Search for and select the EmpowerID Location for the person.
Click Select to close the Role and Location Selector.
Manager – Optional
Comments or Justification – Optional
Back in the main form, click Save.
On the View Person page that appears after EmpowerID creates the person, click the Access Assignments accordion to expand it and then select Direct from the Assign direct to resource or other method?
Drop-down.
Click the Add New
button on the grid header, and in
Select the resource(s) to grant access to the dialog that appears
. Do the following:
Select workflow from the Resource Type drop-down.
Enter TerminatePersonAdvanced in the Enter a Workflow Name to Search field and then click the tile for that workflow to select it.
Select Initiator from the Access Level drop-down.
Click Save.
Close the Select the resource(s) to grant access to dialog.
Click the My Cart icon at the top of the page, enter a reason for the access assignment, and click Submit.
Configure Planned Leaver Settings
On the navbar, expand Identity Lifecycle and click Settings.
This directs you to the Edit page for the Account Inbox Settings.
Select the Leaver tab and adjust the settings as needed.
Planned Leaver Grace Period (Days) — Specifies the number of days past the ValidUntil date on a Person object before sending that person for final termination in the TerminatePersonAdvanced workflow.
Initiator for Terminate Person Advanced Workflow (To Require or Avoid Approval) – Search for the person you just created and then click the tile for that person to select it.
Disable Accounts with Mailboxes – Specifies whether the process should disable all user accounts with mailboxes linked to the primary Person accounts being claimed for termination.
Disable Accounts with Same Primary Person – Specifies whether the process should disable all user accounts linked to the primary Person accounts claimed for termination.
Disable Accounts with Same CoreIdentity – Specifies whether the process should disable all user accounts linked to the same Core Identity as each primary Person account claimed for termination.
Disable Primary Person Object – Specifies whether the process should disable the primary Person accounts for each Person object claimed for termination.
Disable People with Same CoreIdentity – Specifies whether the process should disable all people linked to the same core identity of the primary Person object claimed for termination.
Reset Password for Accounts with Same Primary Person – Specifies whether the process should reset the passwords of all user accounts linked to each primary Person object being claimed for termination, per the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Reset Password for Accounts with Same CoreIdentity – Specifies whether the process should reset the passwords of all user accounts linked to the same Core Identities as that of each primary Person object being claimed for termination, per the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Reset Password for Person Objects with Same CoreIdentity – Specifies whether the process should reset the passwords of all Person objects linked to the same Core Identities as that of each primary Person object being claimed for termination, per the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Reset Primary Person Password – Specifies whether to reset the passwords of all primary Person objects being claimed for termination, per the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Enable Responsibility Transfer – Specifies whether the process should transfer the responsibility of any objects belonging to the people being terminated to other parties. If set to false, the system bypasses all responsibility transfer activities.
Terminate Person Objects with Same Core Identity – Specifies whether the process should claim all Person objects linked to the same Core Identity of a primary Person object being claimed for termination.
Terminate Accounts Owned By Primary Person Before RET – Specifies whether the process should terminate all user accounts linked to the primary Person object being claimed for termination.
Terminate Accounts with Same Core Identity – Specifies whether the process should terminate all user accounts linked to the primary Person object claimed for termination.
Password Manager Policy Name – Specifies the Password Manager Policy to be used by the process for resetting the passwords for each Person object being claimed for termination.
| Macrosuite divider macro | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Setting | Description |
|---|---|
Pre-Termination Query-Based Collection | Specifies the SetGroup or Query-Based Collection used to claim people to process for pre-termination. |
Pre-Leaver Threshold on Person | Specifies the number of Person objects that need to be claimed by the pre-leaver process before being sent for approval to the members of the Management Roles designated in the Email Template Person Pre-Termination Notification setting |
Leaver Threshold On Person – Specifies the number of Person objects that can be claimed for termination at any given time.
Adjust the settings in the Planned Leaver - Who to Terminate (Query-Based Collections) pane as needed.
Leaver Termination Pre-Termination SetGroup – Specifies the SetGroup or Query-Based Collection used to claim people to process.
Leaver Termination People to Terminate SetGroup – Specifies the SetGroup or Query-Based Collection used to claim the people to be processed for termination.
. |
Template Person Pre-Termination Notification |
Specifies the template used to send emails to each person pending termination. | |
Email Template Manager Pre-Termination Notification |
Specifies the template used to send emails to |
administrators about the people pending termination. |
Email Template Admin Pre-Termination Notification |
Specifies the template used to send emails to administrators about the people pending termination. | |
Use Flow Events for Pre-Leaver Process | Specifies whether the system should use the Flow Events for pre-leavers versus processing those accounts through the default permanent workflows. EmpowerID follows the Flow policies specified by the Pre-Termination Flow Event setting when this setting is enabled. |
Pre-Termination Flow Event | Specifies the Flow Event used to trigger the appropriate Flow policy when people are marked for pre-termination. |
| Macrosuite divider macro | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Setting | Description |
|---|---|
People to Terminate Query-Based Collection | Specifies the SetGroup or Query-Based Collection used to claim the people to be processed for termination. |
Leaver Threshold on Person | Specifies the number of Person objects that can be claimed for termination at any given time. |
Admin Management Role |
GUIDS (For Notifications) |
Specifies the Admin Management Roles to receive admin notification emails. | |
Email Template Person Termination Notification |
Specifies the template used to send emails to each person terminated. | |
Email Template Manager Termination Notification |
Specifies the template used to send emails to the managers of each person terminated. | |
Email Template Admin Termination Notification |
Specifies the template used to send administrators emails about each person terminated. | |
Use Flow Events for Leaver Processes | Specifies whether the system should use the Flow Events for Person leavers versus processing those accounts through the default permanent workflows. EmpowerID follows the Flow policies specified by the Termination Flow Event setting when this setting is enabled. |
Termination Flow Event | Specifies the Flow Event used to trigger the appropriate Flow policy when people are terminated. |
| Macrosuite divider macro | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Setting | Description |
|---|---|
People to Reactivate Query-Based Collection | Specifies the SetGroup or Query-Based Collection used to claim people to process for reactivation. |
Email Template Person Reactivated Notification |
Specifies the template used to send emails to each previously terminated person that the system has reactivated. | |
Email Template Manager Reactivated Notification |
Specifies the template used to send emails to the managers of each previously terminated person that the system has reactivated. | |
Email Template Admin Reactivated Notification |
Specifies the template used to send administrators emails about each previously terminated person that the system has reactivated |
. | |
Use Flow Events for Reactivate Processes | Specifies whether the system should use the Flow Events for Person reactivations versus processing those accounts through the default permanent workflows. EmpowerID follows the Flow policies specified by the Reactivate Flow Event setting when this setting is enabled. |
Reactivate Flow Event | Specifies the Flow Event used to trigger the appropriate Flow policy when previously terminated people are reactivated. |
Enable the TerminatePersonAdvanced workflow
On the navbar, expand Infrastructure Admin, then EmpowerID Servers and Settings, and click Permanent Workflows.
On the Permanent Workflows page, click the Submit Person Terminations link to open the Details page for the workflow.
From the Permanent Workflow Details page, click the Edit link. Edit links have the Pencil icon.
Select Enabled and then click Save.
| Note |
|---|
To automatically transfer any resources for which the person is the /wiki/spaces/EIDADV23/pages/2984881586 to the person's manager, you must enable the Transfer Resources to Manager option on the Terminate Person Advanced workflow. To do so, complete the following steps.
|
| Insert excerpt | ||||||
|---|---|---|---|---|---|---|
|
| Div | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
IN THIS ARTICLE
|