You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Planned Leaver Events (Advanced Termination)
- Phillip Hanegan
- Patrick Parker
- Anonymous
EmpowerID provides organizations the ability to automate the disabling and eventual deletion of EmpowerID Persons and all user accounts linked to those Persons based on the value of the ValidUntil attribute set on those Persons. This type of termination automation, known as the "Advanced Leaver" or "Planned Leaver" event differs from unplanned Leaver events, which are typically performed by an administrative user via the EmpowerID web user interface.
Configuring EmpowerID to implement planned Leaver events involves the following tasks:
Creating an EmpowerID Person as the TerminatePerson Advanced Workflow Initiator — This workflow is used by the EmpowerID system to terminate all people submitted to it. As a best practice, the Person account you use should not belong to an actual EmpowerID user.
Configuring Planned Leaver System Settings — These settings allow you to select the Person Object responsible for initiating the TerminatePersonAdvanced workflow, as well as to customize other settings involved in the advanced termination process.
Enabling the SubmitPersonTerminations permanent workflow — When enabled, this workflow runs in a continuous loop, executing once every five minutes to terminate all people with a ValidUntil expiration that has passed the number of days specified by the PersonTerminationGracePeriod system setting.
Create the TerminatePersonAdvanced workflow initiator
On the navbar, expand Identity Administration and click People.
Click the Create Person Simple Mode action.
This opens the Create Person Request form.Fill in the fields of the form with the following information:
First Name and Last Name — Enter the first and last name of the Person you are creating. It is recommended that you choose a name that identifies the purpose for this person, such as "Planned Leaver" or something similar.
eMail — Optional
Personal Email — Optional
Primary Role and Location — Below Primary Business Role and Location, click the Select a Role and Location link and in the Role and Location Selector that opens do the following:
Search for and select the appropriate Business Role for the person.
Click the Location tab.
Search for and select the EmpowerID Location for the person.
Click Select to close the Role and Location Selector.
Manager — Optional
Comments or Justification — Optional
Back in the main form, click Save.
On the View Person page that appears after EmpowerID creates the person, click the Access Assignments accordion to expand it and then select Direct from the Assign direct to resource or other method? drop-down.
Click the Add New button on the grid header and in the Select the resource(s) to grant access to dialog that appears do the following:
Select workflow from the Resource Type drop-down.
Enter TerminatePersonAdvanced in the Enter a Workflow Name to Search field and then click the tile for that workflow to select it.
Select Initiator from the Access Level drop-down.
Click Save.
Close the Select the resource(s) to grant access to dialog.
Click the My Cart icon at the top of the page, enter a reason for the access assignment and then click Submit.
Configure Planned Leaver Settings
On the navbar, expand Identity Lifecycle, and click Settings.
Scroll to the Planned Leaver Settings pane and adjust the settings as needed.
Planned Leaver Grace Period (Days) — Specifies the number of days past the ValidUntil date on a Person object before sending that person for final termination in the TerminatePersonAdvanced workflow.
Initiator for Terminate Person Advanced Workflow (To Require or Avoid Approval) — Search for the person you just created and then click the tile for that person to select it.
Disable Accounts with Mailboxes — Specifies whether the process should disable all user accounts with mailboxes that are linked to the primary Person accounts being claimed for termination.
Disable Accounts with Same Primary Person — Specifies whether the process should disable all user accounts linked to the primary Person accounts being claimed for termination.
Disable Accounts with Same CoreIdentity — Specifies whether the process should disable all user accounts linked to the same Core Identity as each primary Person account being claimed for termination.
Disable Primary Person Object — Specifies whether the process should disable the primary Person accounts for each Person object that is claimed for termination.
Disable People with Same CoreIdentity — Specifies whether the process should disable all people linked to the same core identity of the primary Person object that is claimed for termination.
Reset Password for Accounts with Same Primary Person — Specifies whether the process should reset the passwords of all user accounts linked to each primary Person object being claimed for termination, in accordance with the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Reset Password for Accounts with Same CoreIdentity — Specifies whether the process should reset the passwords of all user accounts linked to the same Core Identities as that of each primary Person object being claimed for termination, in accordance with the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Reset Password for Person Objects with Same CoreIdentity — Specifies whether the process should reset the passwords of all Person objects linked to the same Core Identities as that of each primary Person object being claimed for termination, in accordance with the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Reset Primary Person Password — Specifies whether to reset the passwords of all primary Person objects being claimed for termination, in accordance with the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Enable Responsibility Transfer — Specifies whether the process should transfer responsibility of any objects belonging to the people being terminated to other parties. If set to false, the system bypasses all responsibility transfer activities.
Terminate Person Objects with Same Core Identity — Specifies whether the process should claim all Person objects linked to the same Core Identity of a primary Person object being claimed for termination.
Terminate Accounts Owned By Primary Person Before RET — Specifies whether the process should terminate all user accounts linked to the primary Person object being claimed for termination.
Terminate Accounts with Same Core Identity — Specifies whether the process should terminate all user accounts linked to the primary Person object being claimed for termination.
Password Manager Policy Name — Specifies the Password Manager Policy to be used by the process for resetting the passwords for each Person object being claimed for termination.
Pre-Leaver Threshold On Person — Specifies the number of Person objects that need to be claimed by the pre-leaver process before being sent for approval to the members of the Management Roles designated in the Email Template Person Pre-Termination Notification setting.
Leaver Threshold On Person — Specifies the number of Person objects that can claimed for termination at any given time.
Adjust the settings in the Planned Leaver - Who to Terminate (Query-Based Collections) pane as needed.
Leaver Termination Pre-Termination SetGroup — Specifies the SetGroup or Query-Based Collection that is used to claim people to process
Leaver Termination People to Terminate SetGroup — Specifies the SetGroup or Query-Based Collection that is used to claim the people to be processed for termination.
Leaver Termination People to Reactivate SetGroup — Specifies the SetGroup or Query-Based Collection that is used to claim people to be processed for reactivation.
Adjust the settings in the Planned Leaver - Email Notifications pane as needed.
Email Template Person Pre-Termination Notification — Specifies the template that is used to send emails to each person pending termination.
Email Template Manager Pre-Termination Notification — Specifies the template that is used to send emails to the managers of each person pending termination.
Email Template Admin Pre-Termination Notification — Specifies the template that is used to send emails to administrators about the people pending termination.
Admin Management Role GUIDs (For Notifications) — Specifies the Admin Management Roles that are to receive admin notification emails.
Email Template Person Termination Notification — Specifies the template that is used to send emails to each person terminated.
Email Template Manager Termination Notification — Specifies the template that is used to send emails to the managers of each person terminated.
Email Template Admin Termination Notification — Specifies the template that is used to send emails to administrators about each person terminated.
Email Template Person Reactivated Notification — Specifies the template that is used to send emails to each previously terminated person that has been reactivated by the system.
Email Template Manager Reactivated Notification — Specifies the template that is used to send emails to the managers of each previously terminated person that has been reactivated by the system.
Email Template Admin Reactivated Notification — Specifies the template that is used to send emails to administrators about each previously terminated person that has been reactivated by the system.
Click Save to save your changes.
Enable the SubmitPersonTerminations workflow
On the navbar, expand Infrastructure Admin, then EmpowerID Servers and Settings, and click Permanent Workflows.
On the Permanent Workflows page, click the Submit Person Terminations link to open the Details page for the workflow.
From the Permanent Workflow Details page, click the Edit link. Edit links have the Pencil icon.
Select Enabled and then click Save.
To automatically transfer any resources for which the person is the Responsible Parties to the person's manager, you must enable the Transfer Resources to Manager option on the Terminate Person Advanced workflow that is called by this workflow. To do so, complete the following steps.
On the navbar, expand Resources, then Workflows, and find the Terminate Person Advanced workflow.
Expand the Request Workflow Parameters accordion and click the Edit icon on the TransferOwnershipToManager parameter.
Change the Value field to true and click Save.