Planned Leaver Events (Advanced Termination)
- Phillip Hanegan
EmpowerID allows organizations to automate the disabling and eventual deletion of EmpowerID Persons and all user accounts linked to those Persons based on the value of the ValidUntil attribute set on those Persons. This type of termination automation, known as the "Advanced Leaver" or "Planned Leaver" event, differs from unplanned Leaver events, which an administrative user typically performs via the EmpowerID web user interface.
Configuring EmpowerID to implement planned Leaver events involves the following tasks:
Creating an EmpowerID Person as the TerminatePerson Advanced Workflow Initiator – The EmpowerID system uses this workflow to terminate all people submitted. As a best practice, the Person account you use should not belong to an actual EmpowerID user.
Configuring Planned Leaver System Settings – These settings allow you to select the Person Object responsible for initiating the TerminatePersonAdvanced workflow and customize other settings involved in the advanced termination process.
Enabling the SubmitPersonTerminations permanent workflow – When enabled, this workflow runs in a continuous loop, executing once every five minutes to terminate all people with a ValidUntil expiration that has passed the number of days specified by the PersonTerminationGracePeriod system setting.
Create the TerminatePersonAdvanced workflow initiator
On the navbar, expand Identity Administration and click People.
Click the Create Person Simple Mode action.Â
This opens the Create Person Request form.Fill in the fields of the form with the following information:
First Name and Last Name – Enter the first and last name of the Person you are creating. It is recommended that you choose a name that identifies the purpose for this person, such as "Planned Leaver" or something similar.
Email – Optional
Personal Email – Optional
Primary Role and Location – Below Primary Business Role and Location, click the Select a Role and Location link, and in the Role and Location Selector that opens, do the following:
Search for and select the appropriate Business Role for the person.
Click the Location tab.
Search for and select the EmpowerID Location for the person.
Click Select to close the Role and Location Selector.
Manager – Optional
Comments or Justification – Optional
Back in the main form, click Save.Â
On the View Person page that appears after EmpowerID creates the person, click the Access Assignments accordion to expand it and then select Direct from the Assign direct to resource or other method? drop-down.
Click the Add New  button on the grid header and in the Select the resource(s) to grant access to dialog that appears do the following:
Select workflow from the Resource Type drop-down.
Enter TerminatePersonAdvanced in the Enter a Workflow Name to Search field and then click the tile for that workflow to select it.
Select Initiator from the Access Level drop-down.
Click Save.
Close the Select the resource(s) to grant access to dialog.
Click the My Cart icon at the top of the page, enter a reason for the access assignment, and click Submit.
Configure Planned Leaver Settings
On the navbar, expand Identity Lifecycle and click Settings.
This directs you to the Edit page for the Account Inbox Settings.Select the Leaver tab and adjust the settings as needed.
Setting | Description |
|---|---|
Pre-Termination Query-Based Collection | Specifies the SetGroup or Query-Based Collection used to claim people to process for pre-termination. |
Pre-Leaver Threshold on Person | Specifies the number of Person objects that need to be claimed by the pre-leaver process before being sent for approval to the members of the Management Roles designated in the Email Template Person Pre-Termination Notification setting. |
Email Template Person Pre-Termination Notification | Specifies the template used to send emails to each person pending termination. |
Email Template Manager Pre-Termination Notification | Specifies the template used to send emails to administrators about the people pending termination. |
Email Template Admin Pre-Termination Notification | Specifies the template used to send emails to administrators about the people pending termination. |
Use Flow Events for Pre-Leaver Process | Specifies whether the system should use the Flow Events for pre-leavers versus processing those accounts through the default permanent workflows. EmpowerID follows the Flow policies specified by the Pre-Termination Flow Event setting when this setting is enabled. |
Pre-Termination Flow Event | Specifies the Flow Event used to trigger the appropriate Flow policy when people are marked for pre-termination. |
Â
Setting | Description |
|---|---|
People to Terminate Query-Based Collection | Specifies the SetGroup or Query-Based Collection used to claim the people to be processed for termination. |
Leaver Threshold on Person | Specifies the number of Person objects that can be claimed for termination at any given time. |
Admin Management Role GUIDS (For Notifications) | Specifies the Admin Management Roles to receive admin notification emails. |
Email Template Person Termination Notification | Specifies the template used to send emails to each person terminated. |
Email Template Manager Termination Notification | Specifies the template used to send emails to the managers of each person terminated. |
Email Template Admin Termination Notification | Specifies the template used to send administrators emails about each person terminated. |
Use Flow Events for Leaver Processes | Specifies whether the system should use the Flow Events for Person leavers versus processing those accounts through the default permanent workflows. EmpowerID follows the Flow policies specified by the Termination Flow Event setting when this setting is enabled. |
Termination Flow Event | Specifies the Flow Event used to trigger the appropriate Flow policy when people are terminated. |
Â
Setting | Description |
|---|---|
People to Reactivate Query-Based Collection | Specifies the SetGroup or Query-Based Collection used to claim people to process for reactivation. |
Email Template Person Reactivated Notification | Specifies the template used to send emails to each previously terminated person that the system has reactivated. |
Email Template Manager Reactivated Notification | Specifies the template used to send emails to the managers of each previously terminated person that the system has reactivated. |
Email Template Admin Reactivated Notification | Specifies the template used to send administrators emails about each previously terminated person that the system has reactivated. |
Use Flow Events for Reactivate Processes | Specifies whether the system should use the Flow Events for Person reactivations versus processing those accounts through the default permanent workflows. EmpowerID follows the Flow policies specified by the Reactivate Flow Event setting when this setting is enabled. |
Reactivate Flow Event | Specifies the Flow Event used to trigger the appropriate Flow policy when previously terminated people are reactivated. |
Enable the TerminatePersonAdvanced workflow
On the navbar, expand Infrastructure Admin, then EmpowerID Servers and Settings, and click Permanent Workflows.
On the Permanent Workflows page, click the Submit Person Terminations link to open the Details page for the workflow.
Â
From the Permanent Workflow Details page, click the Edit link. Edit links have the Pencil icon.
Â
Select Enabled and then click Save.
To automatically transfer any resources for which the person is the responsible party to the person's manager, you must enable the Transfer Resources to Manager option on the Terminate Person Advanced workflow. To do so, complete the following steps.
On the navbar, expand Resources and select then Workflows.
Search for the Terminate Person Advanced workflow.
Expand the Request Workflow Parameters accordion and click the Edit icon on the TransferOwnershipToManager parameter.
Â
Change the Value field to true and click Save.
Â