I’ve really been trying to improve my skills at capturing and writing up requirements and one thing that helps is to list all the typical identity “lifecycle events”, along with:
- How to detect the event, and
- What to do when the event is detected.
So for each target system I will have a table like the following. The “Lifecycle Events” I’ve listed I think are fairly universal. How you detect them (the “Trigger”), and what actions the IAM solution takes will of course be solution-specific. In some cases the IAM Solution’s action will be “none”, but that should still be documented.
|IAM Actions (example)
|New person identity created in authoratative data source, with required minimum attributes.
|First name, Preferred First Name or Surname change detected in authoratative data source.
|Job Title, Poisition Number or Business Unit changes detected in authoratative data source.
|Manager change detected in authoratative data source.
|Contact Details change
|Change to Address or Phone Number details in authoratative data source.
|Length of time between LeaveStartDate and LeaveEndDate is greater than 90 days
OR Suspended status is True.
|LeaveEndDate has passed
AND Suspended status is False
AND account currently disabled
|Termination Date from authoratative data source has passed.
|At the end of the termination day:
90 days after termination day:
|Existing person with an existing disabled user account has a passed start date, and a future or no termination date.
After Archive (in addition):
|Start date = Termination date.
|Disable and Archive account.