Versions Compared

Old Version 1

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In some cases, this default mechanism is not adequate to handle the logic for determining a Mover event. As an example, in some organizations an external location change within a business unit does not constitute a Mover event.

Leaver Process

The Leaver process occurs when a person’s relationship with an organization comes to an end. The Leaver process is the most security sensitive event as the IAM system must ensure that all access is removed in a timely manner. An unplanned Leaver event can be initiated manually using one of the Terminate Person workflows. These workflows mark the Person object as deleted and trigger a reevaluation of the RET policies associated with that Person object, leading to account deletions or disables.

More commonly, Leaver events are triggered by changes to the ValidUntil field on an EmpowerID Person flowing from changes occurring in an authoritative HR system. EmpowerID provides a configurable “Advanced Leaver” process that relies on a permanent workflow named “SubmitPersonTerminations,” which then calls a child flow chart workflow named “TerminatePersonAdvanced”. The logic for the default process is as follows:

...

EmpowerID provides organizations the ability to automate the disabling and eventual deletion of EmpowerID Persons and all user accounts linked to those Persons based on the value of the ValidUntil attribute set on those Persons. This type of termination automation, known as the "Advanced Leaver" or "Planned Leaver" event differs from unplanned Leaver events, which are typically performed by an administrative user via the EmpowerID web user interface.

The process involves a number of account store and resource system settings, EmpowerID system settings, workflows, Sets and SetGroups. Each of these settings can be enabled and configured to run based on your own particular security needs. Sets and SetGroups are configured out of the box but can be customized as needed.

Expand
titleAccount Store Directory Cleanup Settings

  • Directory Clean Up Enabled — This setting specifies whether the Submit Account Terminations permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications are moved into a special OU within the external directory and disabled.

  • Report Only Mode (No Changes) — When enabled, EmpowerID generates a report of what the Directory Clean Up process would do if it was fully implemented. The process itself is ignored and all accounts are set to Termination Pending.

  • OU to Move Stale Accounts — This setting specifies the external directory in which to move accounts marked for termination. This setting only appears on account stores with OUs, such as Active Directory.

The below image shows the Directory Cleanup Settings on an example account store.

Image Added

Pre-Termination Process:

  1. The GUID of the LeaverTerminationPreTerminationSetGroupGUID account inbox setting is used to claim people marked for termination.

  2. The PreLeaverThresholdOnPerson setting account store setting is used as a threshold to compare with the number of people claimed above.

  3. If the number of people claimed for termination reaches the threshold, an approval task is created and sent to all people belonging to the Management Roles configured in the PersonTerminationsAdminManagementRoleGUIDS setting.

  4. SubmitPersonTerminations permanent workflow runs continuously, calling the Person.GetPendingTerminationNotProcessed stored procedure to collect all EmpowerID Person objects meeting the below criteria:

    • ValidUntil IS NOT NULL

    • AND ValidUntil < GETUTCDATE()

    • AND TerminationBusinessProcessTaskID IS NULL

    • AND Deleted = 0

    • AND IsNUll(PersonOrganizationStatusID, -1) <> 8

  5. Any Person objects meeting the above criteria The EmpowerID Persons—and all user accounts linked to those EmpowerID Persons—are disabled and the PersonOrganizationStatusID field for each qualifying Person is updated to 8, meaning Termination Pending.

  6. Next, any Person object with an ValidUntil date greater than the number of days configured for the PersonTerminationGracePeriod EmpowerID System setting is submitted to the “TerminatePersonAdvanced” workflow using the identity set for the TerminsatePersonAdvancedInitiator EmpowerID System setting.

  7. As a last step in the permanent workflow logic, the workflow calls the Custom_Person_GetPendingTerminationNotProcessedPendingTermination stored procedure to collect any Person objects matching reactivation criteria. These criteria are as follows:

    • ValidUntil IS NOT NULL AND ValidUntil > GETUTCdate()

    • AND TerminationBusinessProcessTaskID IS NULL AND Deleted = 0

    • AND IsNUll(PersonOrganizationStatusID, -1) = 8

    • AND TerminationDate IS NULL

...