Skip to end of banner
Go to start of banner

Leaver Process

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

The Leaver process is when a person’s relationship with an organization comes to an end. The Leaver is the most security sensitive event as the IAM system must ensure that all access is removed in a timely manner. An unplanned Leaver event can be initiated manually using one of the Terminate Person workflows. These workflows mark the Person object as deleted and trigger a reevaluation of the RET policies leading to account deletions or disables.

More commonly, Leaver events are triggered based upon changes to a person’s ValidUntil date flowing to their person object from the authoritative HR system through the HR connector.

EmpowerID provides a configurable “Advanced Leaver” process that relies on a permanent workflow named “SubmitPersonTerminations” which then calls a child flow chart workflow named “TerminatePersonAdvanced”.

The logic for the default process is as follows:

  1. The SubmitPersonTerminations permanent workflow runs continuously and calls the Person.GetPendingTerminationNotProcessed stored procedure to grab all person objects where ValidUntil IS NOT NULL AND  ValidUntil < GETUTCDATE() AND TerminationBusinessProcessTaskID  IS NULL  AND Deleted =0 AND IsNull(PersonOrganizationStatusID, -1) <> 8

  1. For any person objects matching these criteria, it disables the Person and all of their user accounts. It also sets the Person Organization Status to 8, “Termination Pending”.

  1. Next, for any Person objects where their ValidUntil has expired a greater number of days ago than the configurable "PersonTerminationGracePeriod" EmpowerID System setting, they are submitted into the “TerminatePersonAdvanced” workflow using the configured initiator identity – “TerminatePersonAdvancedInitiator” set as a EmpowerID System setting.

The permanent workflow also detects and handles the reactivation or extension process.

  1. As a last step in the permanent workflow logic, it calls the Custom_Person_GetPendingTerminationNotProcessedPendingTermination stored procedure to get any person objects matching the reactivation criteria. These criteria are as follows: ValidUntil IS NOT NULL AND ValidUntil > GETUTCDATE() --AND TerminationBusinessProcessTaskID  IS NULL  AND Deleted =0 AND IsNull(PersonOrganizationStatusID, -1) = 8 --AND TerminationDate IS NULL

  1. For any person matching these criteria, it enables the person and all their accounts then sets the Person Organization Status to 1 “Active”.

  1. If the ValidUntil date is corrected in the HR system or on the Person object before the grace period expires, the permanent workflow will enable the person, their accounts, and set the Person Organization Status back to 1, “Active”.

Initial Process flow:

  1. Trigger – leaver is detected

  1. Person status is set to ‘pending termination’

  1. Once grace period has elapsed, person status is set to ‘Terminated’

In the initial implementation, EmpowerID will only terminate the identity (person) within EmpowerID. Any action on the accounts in the external systems such as disablement/deletion, access removal, password reset will be designed and configured as write-back to target systems is authorized.

  • No labels