You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Overview of Identity Lifecycle

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Current »

HR-Driven Identity Lifecycle

Many organizations use a Human Capital Management (HCM) system to maintain user data for employees and to initiate all status changes. This includes the pre-hire interview process, start-date, transfers and terminations – all of which are managed and initiated within the HCM. EmpowerID integrates with an organization’s HCM to detect these lifecycle changes and then automate the management of Compliant Access throughout the Joiner, Mover, and Leaver processes. EmpowerID supports all the major HCM systems including any that support the SCIM standard.

Compliant Identity Lifecycle

It is much easier to deliver access than it is to deliver Compliant Access. IT organizations have traditionally seen provisioning technical entitlements as the finish line which leads to overprivileged users, increased organizational risk, regulatory violations, and vulnerability to hackers and malware.

Compliant Access in the Identity Lifecycle is defined as a secure desired state against which a user’s current access must continuously be measured and adjusted. This contrasts with the traditional approach where lifecycle changes are merely a series of triggered scripted events. Compliant Access is defined in EmpowerID using position-based roles as well as policies to detect and prevent risk. The roles and policies are the benchmarks against which all users’ currently assigned access is measured. EmpowerID inventories all an organization’s systems to retrieve the users, roles and technical entitlements to know at any moment who has access to what. The actual inventoried state is evaluated against the desired “compliant” state and risk policies to detect gaps and initiate changes.

Gaps in compliance most often occur based on lifecycle changes made in the HR system. New joiners are quickly identified as gaps due to missing access to which they are entitled based on their roles. Users changing jobs or locations, or movers, are detected as having incorrect access. Meaning, that they are missing some access appropriate to their new position and still have access that is no longer compliant. And the last case are the leavers, these are users that have been marked as no longer with the organization and all their access is considered non-compliant. EmpowerID’s state-based Compliant Access Delivery engine continuously recalculates these variances of actual versus desired and automates the provisioning of new access and revocation of non-compliant access.

Flexible Lifecycle Workflows

No two organization’s Joiner, Mover, and Leaver processes are identical, so a cookie cutter approach is not an option. Attempting to bend an organization’s processes to the configuration options available in most IGA platforms can be a painful process which typically negates the benefits of automation. EmpowerID has unique DNA among all IGA vendors as it was developed entirely on a Business Process Automation or “low code orchestration” platform. In the EmpowerID model, entire processes are described and automated as visual workflow not simply the human approval processes. The unique flexibility of the “everything is a workflow” model allows organizations to maintain their own business requirements for identity lifecycle without compromising or costly and unsupportable custom development. EmpowerID’s Joiner, Mover, and Leaver processes offer common configuration options fitting most organizations needs with the ability to uniquely handle exceptions in the visually designed workflows. The flexibility of this model allows for much greater automation as well enhanced reporting and enforcement of Compliant Access policies.

Automated Provisioning to All Your Systems

The measure of any identity lifecycle solution is its ability to provision and maintain compliant access in as many of an organization’s systems as possible. EmpowerID provides one of the largest libraries of out of the box connectors for on-premise and Cloud systems available. Out of the box systems can quickly and easily be configured using friendly workflow-based processes. Upon completion of a connection the system is inventoried, monitored for changes and ready for automated provisioning and deprovisioning policies. Many of EmpowerID’s out of the box connectors offer much deeper support than is typically available inventorying and managing fine-grained application permissions.

Simplified Standards-Based Connector Development

For systems not supported by out of the box connectors, EmpowerID has embraced the SCIM standard to simplify connector development, deployment, and maintenance for customers and partners. The System for Cross Domain Identity Management (SCIM) is was open standard created to simplify, and automate identity management of users, groups, and devices across Cloud-based applications and services. The basis of EmpowerID’s SCIM support is our SCIM Microservice Connector Framework. This framework is a ready-made SCIM Server Microservice that allows customers and partners to develop SCIM connectors for proprietary applications without knowing anything about SCIM or EmpowerID’s API. Customers and partners are only responsible for their specific application connector code and nothing else is required to expose non-SCIM compliant applications as standards based SCIM microservices. This unique model dramatically reduces the difficulty in developing connectors and greatly expands their utility as they adhere to modern standards for interoperability.


EmpowerID automates the lifecycle of identities through the Joiner, Mover, and Leaver phases. These events are typically detected and triggered based on changes occurring to the employee record in an HR or other authoritative system through an inventory connector. HR account records are initially inventoried into the system as orphan accounts lacking a related Person object.The EmpowerID Account Inbox permanent workflow and queue processes these orphan accounts to determine if they can be joined to an existing Person object or if a new Person object should be created. Changes in the authoritative system for job title, job role, and/or location code, country, department or other fields may trigger a Mover event based on logic configured in location mappings. EmpowerID handles Mover events such as these through the Business Role and Location Recompiler Job. Unplanned Leaver events can be initiated manually via an EmpowerID workflow, while planned Leaver events are most often triggered by the VaildUntil date set on Person objects by HR and processed by logic in a permanent workflow.

Joiner Process

Because of the key role of Person objects in EmpowerID, the process by which EmpowerID joins inventoried accounts to these objects is foundational to how EmpowerID manages your user identities. As mentioned in the Inventory topic, when EmpowerID inventories a resource system with user accounts, it does more than just write a copy of those user accounts to a table in the EmpowerID Identity Warehouse. It evaluates those accounts to determine whether or not they are owned by users, and based on that evaluation it does one of the following three things:

  • It ignores them;
  • It joins them to existing EmpowerID Persons;
  • It provisions new EmpowerID Persons, joining those new Persons to the accounts



Mover Process

The Mover process occurs when a person in an organization changes his or her job function and or the organizational location in which they work. The Mover event is important, as access should be reevaluated to ensure that any missing access required for the new role is provisioned and that access no longer needed is removed. A Mover event can be initiated manually using one of a variety of workflows to change a person’s primary Business Role and Location in EmpowerID. These workflows constitute a move and will trigger the reevaluation of RETs and other types of access policies. More commonly, Mover events are triggered based on changes to a person’s job title/code or department ID assignment in the HR system. Typically, these changes flow into EmpowerID via the connector as changes to the External OrgRole (Business Role) and External OrgZone ( Location) assignments for the person's user account. When these change, the EmpowerID Business Role and Location Compiler Job leverages the mappings of these external roles and locations to determine which changes should occur to the person’s internal EmpowerID Business Roles and Locations. If changes need to occur, the job adds the changes to a queue to be processed by the Business Role and Location Processor job.

In some cases, this default mechanism is not adequate to handle the logic for determining a Mover event. As an example, in some organizations an external location change within a business unit does not constitute a Mover event.

Leaver Process

The Leaver process occurs when a person’s relationship with an organization comes to an end. The Leaver process is the most security sensitive event as the IAM system must ensure that all access is removed in a timely manner. An unplanned Leaver event can be initiated manually using one of the Terminate Person workflows. These workflows mark the Person object as deleted and trigger a reevaluation of the RET policies associated with that Person object, leading to account deletions or disables.

More commonly, Leaver events are triggered by changes to the ValidUntil field on an EmpowerID Person flowing from changes occurring in an authoritative HR system. EmpowerID provides a configurable “Advanced Leaver” process that relies on a permanent workflow named “SubmitPersonTerminations,” which then calls a child flow chart workflow named “TerminatePersonAdvanced”. The logic for the default process is as follows:

  1. The SubmitPersonTerminations permanent workflow runs continuously, calling the Person.GetPendingTerminationNotProcessed stored procedure to collect all EmpowerID Person objects meeting the below criteria:
    • ValidUntil IS NOT NULL
    • AND ValidUntil < GETUTCDATE()
    • AND TerminationBusinessProcessTaskID IS NULL
    • AND Deleted = 0
    • AND IsNUll(PersonOrganizationStatusID, -1) <> 8

  2. Any Person objects meeting the above criteria The EmpowerID Persons—and all user accounts linked to those EmpowerID Persons—are disabled and the PersonOrganizationStatusID field for each qualifying Person is updated to 8, meaning Termination Pending.
  3. Next, any Person object with an ValidUntil date greater than the number of days configured for the PersonTerminationGracePeriod EmpowerID System setting is submitted to the “TerminatePersonAdvanced” workflow using the identity set for the TerminsatePersonAdvancedInitiator EmpowerID System setting.
  4. As a last step in the permanent workflow logic, the workflow calls the Custom_Person_GetPendingTerminationNotProcessedPendingTermination stored procedure to collect any Person objects matching reactivation criteria. These criteria are as follows:
    • ValidUntil IS NOT NULL AND ValidUntil > GETUTCdate()
    • AND TerminationBusinessProcessTaskID IS NULL AND Deleted = 0
    • AND IsNUll(PersonOrganizationStatusID, -1) = 8
    • AND TerminationDate IS NULL


  • No labels