Planned Leaver
EmpowerID provides organizations the ability to automate the disabling and eventual deletion of EmpowerID Persons and all user accounts linked to those Persons based on attribute values causing the people to match pre-defined Query-Based Collections used for this purpose. The most common attribute used is ValidUntil, which typically comes from the HR system. This type of termination automation, known as the "Advanced Leaver" or "Planned Leaver" event differs from unplanned Leaver events, which are typically performed by an administrative user via the EmpowerID web user interface.
The Leaver process is when a person’s relationship with an organization comes to an end. The Leaver is the most security-sensitive event as the IAM system must ensure that all access is removed in a timely manner. An unplanned Leaver event can be initiated manually using one of the Terminate Person workflows. These workflows mark the Person object as deleted and trigger a reevaluation of the RET policies leading to account deletions or disables.
Planned Leaver Workflows
EmpowerID provides a configurable “Advanced Leaver” process that relies on a permanent workflow named “SubmitPersonTerminations” which then calls a child flow chart workflow named “TerminatePersonAdvanced”.
The logic for the default process is as follows:
The SubmitPersonTerminations permanent workflow runs continuously and grabs all person objects in the “LeaverTerminationPreTerminationSetGroup” Query-Based Collection. Notifications are sent out based on the matching person records and configured email notifications and templates.
The SubmitPersonTerminations permanent workflow runs continuously and grabs all person objects in the “LeaverTerminationPeopletoTerminateSet” Query-Based Collection. Notifications are sent out based on the matching person records and configured email notifications and templates.
For any person objects matching these criteria, it disables the Person and all of their user accounts. It also sets the Person Organization Status to 8, “Termination Pending”.
Next, for any Person objects where their ValidUntil has expired a greater number of days ago than the configurable "PersonTerminationGracePeriod" EmpowerID System setting, they are submitted into the “TerminatePersonAdvanced” workflow using the configured initiator identity – “TerminatePersonAdvancedInitiator” set as an EmpowerID System setting.
The permanent workflow also detects and handles the reactivation or extension process.
As a last step in the permanent workflow logic, it retrieves all people in the “LeaverTerminationPeopletoReactivateSet” Query-Based Collection to get any person objects matching the reactivation criteria. These criteria are typically as follows: ValidUntil IS NOT NULL AND ValidUntil > GETUTCDATE() --AND TerminationBusinessProcessTaskID IS NULL AND Deleted =0 AND IsNull(PersonOrganizationStatusID, -1) = 8 --AND TerminationDate IS NULL
For any person matching these criteria, it enables the person and all their accounts then sets the Person Organization Status to 1 “Active”.
If the ValidUntil date is corrected in the HR system or on the Person object before the grace period expires, the permanent workflow will enable the person, their accounts, and set the Person Organization Status back to 1, “Active”.
Initial Process flow:
Trigger – leaver is detected
Person status is set to ‘pending termination’
Once the grace period has elapsed, person status is set to ‘Terminated’
In the initial implementation, EmpowerID will only terminate the identity (person) within EmpowerID. Any action on the accounts in the external systems such as disablement/deletion, access removal, password reset will be designed and configured as write-back to target systems is authorized.
Planned Leaver Settings
You access Planned Leaver Settings page in the EmpowerID UI by expanding Identity Lifecycle in the navbar and selecting Settings. The page contains the following configurable settings:
Planned Leaver Grace Period (Days) — Specifies the number of days past the ValidUntil date on a Person object before sending that person for final termination in the TerminatePersonAdvanced workflow.
Initiator for Terminate Person Advanced Workflow (To Require or Avoid Approval) – Search for the person you just created and then click the tile for that person to select it.
Disable Accounts with Mailboxes – Specifies whether the process should disable all user accounts with mailboxes linked to the primary Person accounts being claimed for termination.
Disable Accounts with Same Primary Person – Specifies whether the process should disable all user accounts linked to the primary Person accounts claimed for termination.
Disable Accounts with Same CoreIdentity – Specifies whether the process should disable all user accounts linked to the same Core Identity as each primary Person account claimed for termination.
Disable Primary Person Object – Specifies whether the process should disable the primary Person accounts for each Person object claimed for termination.
Disable People with Same CoreIdentity – Specifies whether the process should disable all people linked to the same core identity of the primary Person object claimed for termination.
Reset Password for Accounts with Same Primary Person – Specifies whether the process should reset the passwords of all user accounts linked to each primary Person object being claimed for termination, per the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Reset Password for Accounts with Same CoreIdentity – Specifies whether the process should reset the passwords of all user accounts linked to the same Core Identities as that of each primary Person object being claimed for termination, per the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Reset Password for Person Objects with Same CoreIdentity – Specifies whether the process should reset the passwords of all Person objects linked to the same Core Identities as that of each primary Person object being claimed for termination, per the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Reset Primary Person Password – Specifies whether to reset the passwords of all primary Person objects being claimed for termination, per the related setting on the Password Manager Policy specified in the Password Manager Policy Name setting.
Enable Responsibility Transfer – Specifies whether the process should transfer the responsibility of any objects belonging to the people being terminated to other parties. If set to false, the system bypasses all responsibility transfer activities.
Terminate Person Objects with Same Core Identity – Specifies whether the process should claim all Person objects linked to the same Core Identity of a primary Person object being claimed for termination.
Terminate Accounts Owned By Primary Person Before RET – Specifies whether the process should terminate all user accounts linked to the primary Person object being claimed for termination.
Terminate Accounts with Same Core Identity – Specifies whether the process should terminate all user accounts linked to the primary Person object claimed for termination.
Password Manager Policy Name – Specifies the Password Manager Policy to be used by the process for resetting the passwords for each Person object being claimed for termination.
Pre-Leaver Threshold On Person – Specifies the number of Person objects that need to be claimed by the pre-leaver process before being sent for approval to the members of the Management Roles designated in the Email Template Person Pre-Termination Notification setting.
Leaver Threshold On Person – Specifies the number of Person objects that can be claimed for termination at any given time.
Planned Leaver Email Notifications
Email Template Person Pre-Termination Notification – Specifies the template used to send emails to each person pending termination.
Email Template Manager Pre-Termination Notification – Specifies the template used to send emails to the managers of each person pending termination.
Email Template Admin Pre-Termination Notification – Specifies the template used to send emails to administrators about the people pending termination.
Admin Management Role GUIDs (For Notifications) – Specifies the Admin Management Roles to receive admin notification emails.
Email Template Person Termination Notification – Specifies the template used to send emails to each person terminated.
Email Template Manager Termination Notification – Specifies the template used to send emails to the managers of each person terminated.
Email Template Admin Termination Notification – Specifies the template used to send administrators emails about each person terminated.
Email Template Person Reactivated Notification – Specifies the template used to send emails to each previously terminated person that the system has reactivated.
Email Template Manager Reactivated Notification – Specifies the template used to send emails to the managers of each previously terminated person that the system has reactivated.
Email Template Admin Reactivated Notification – Specifies the template used to send administrators emails about each previously terminated person that the system has reactivated.
Pending Leavers View
The Pending Leavers view allows you to view all people within the organization whose status is set to Termination Pending.
Related Docs Topics: