Planned Leaver
EmpowerID provides organizations the ability to automate the disabling and eventual deletion of EmpowerID Persons and all user accounts linked to those Persons based on attribute values causing the people to match pre-defined Query-Based Collections used for this purpose. The most common attribute used is ValidUntil which typically comes from the HR system. This type of termination automation, known as the "Advanced Leaver" or "Planned Leaver" event differs from unplanned Leaver events, which are typically performed by an administrative user via the EmpowerID web user interface.
The Leaver process is when a person’s relationship with an organization comes to an end. The Leaver is the most security-sensitive event as the IAM system must ensure that all access is removed in a timely manner. An unplanned Leaver event can be initiated manually using one of the Terminate Person workflows. These workflows mark the Person object as deleted and trigger a reevaluation of the RET policies leading to account deletions or disables.
EmpowerID provides a configurable “Advanced Leaver” process that relies on a permanent workflow named “SubmitPersonTerminations” which then calls a child flow chart workflow named “TerminatePersonAdvanced”.
The logic for the default process is as follows:
The SubmitPersonTerminations permanent workflow runs continuously and grabs all person objects in the “LeaverTerminationPreTerminationSetGroup” Query-Based Collection. Notifications are sent out based on the matching person records and configured email notifications and templates.
The SubmitPersonTerminations permanent workflow runs continuously and grabs all person objects in the “LeaverTerminationPeopletoTerminateSet” Query-Based Collection. Notifications are sent out based on the matching person records and configured email notifications and templates.
For any person objects matching these criteria, it disables the Person and all of their user accounts. It also sets the Person Organization Status to 8, “Termination Pending”.
Next, for any Person objects where their ValidUntil has expired a greater number of days ago than the configurable "PersonTerminationGracePeriod" EmpowerID System setting, they are submitted into the “TerminatePersonAdvanced” workflow using the configured initiator identity – “TerminatePersonAdvancedInitiator” set as an EmpowerID System setting.
The permanent workflow also detects and handles the reactivation or extension process.
As a last step in the permanent workflow logic, it retrieves all people in the “LeaverTerminationPeopletoReactivateSet” Query-Based Collection to get any person objects matching the reactivation criteria. These criteria are typically as follows: ValidUntil IS NOT NULL AND ValidUntil > GETUTCDATE() --AND TerminationBusinessProcessTaskID IS NULL AND Deleted =0 AND IsNull(PersonOrganizationStatusID, -1) = 8 --AND TerminationDate IS NULL
For any person matching these criteria, it enables the person and all their accounts then sets the Person Organization Status to 1 “Active”.
If the ValidUntil date is corrected in the HR system or on the Person object before the grace period expires, the permanent workflow will enable the person, their accounts, and set the Person Organization Status back to 1, “Active”.
Initial Process flow:
Trigger – leaver is detected
Person status is set to ‘pending termination’
Once the grace period has elapsed, person status is set to ‘Terminated’
In the initial implementation, EmpowerID will only terminate the identity (person) within EmpowerID. Any action on the accounts in the external systems such as disablement/deletion, access removal, password reset will be designed and configured as write-back to target systems is authorized.