IAM Design Principle: Lifecycle Events

I’ve really been trying to improve my skills at capturing and writing up requirements and one thing that helps is to list all the typical identity “lifecycle events”, along with:

  • How to detect the event, and
  • What to do when the event is detected.

So for each target system I will have a table like the following. The “Lifecycle Events” I’ve listed I think are fairly universal. How you detect them (the “Trigger”), and what actions the IAM solution takes will of course be solution-specific. In some cases the IAM Solution’s action will be “none”, but that should still be documented.

Lifecycle Event Sub-stages Trigger (example) IAM Actions (example)
On-board Pre-start

Start Date

New person identity created in authoratative data source, with required minimum attributes. Pre-start:

  • Provision User Account
  • Provision account Artifacts (eg., mailbox, home folder)
  • Assign default access

Start Date:

  • Enable account
Name change First name, Preferred First Name or Surname change detected in authoratative data source.
  • Change name attributes
  • Generate new primary email address
Job change Job Title, Poisition Number or Business Unit changes detected in authoratative data source.
  • Change Job Title
  • Change Business Unit-based groups
Manager change Manager change detected in authoratative data source.
  • Change manager attribute.
Contact Details change Change to Address or Phone Number details in authoratative data source.
  • Change one or more of the following attributes based on the change in source data:
    • streetAddress
    • postalConde
    • country
    • telephoneNumber
    • ….
  • Change location-based distribution list.
Suspension Length of time between LeaveStartDate and LeaveEndDate is greater than 90 days

OR Suspended status is True.

  • Disable user account
  • Add notes “Disabled by IAM on <date>”
Reactivation LeaveEndDate has passed

AND Suspended status is False

AND account currently disabled

  • Enable user account
  • Add notes “Enabled by IAM on <date>”
Off-board Deactivation

Archive

Termination Date from authoratative data source has passed. At the end of the termination day:

  • Disable user account,
  • Moved to “Disabled Users” OU,
  • Add notes “Disabled by IAM on <date>”

90 days after termination day:

  • Remove all group memberships,
  • Archive mailbox,
  • Archive home folder.
Re-hire/Return Before Archive

After Archive

Existing person with an existing disabled user account has a passed start date, and a future or no termination date. Before Archive:

  • Enable account,
  • Add any default groups based on new position (if applicable).

After Archive (in addition):

  • Create new mailbox,
  • Create new home folder.
No Show Start date = Termination date. Disable and Archive account.

3 Replies to “IAM Design Principle: Lifecycle Events”

  1. Very good post Carol. Really captures the complexity of connecting an HR Feed to MIM. One item I did not see (and also not on your post of 11/16) is “No Show” state which is for when someone who has accepted a job offer and does not show up or later turns down the offer. I have connected HR systems from all parts of the globe and I know certain countries where this No Show is a common event, an average of 20% of accepted offers do not show such that you have to factor this into your MIM design. There are certain countries where it is a zero factor because of the prevalent culture of honor your word. I won’t name any countries on either side. I have seen the “No Show” in some HR systems and actually it is one of status options in WorkDay.

    Generally one has to configure MIM to cleanup all the items created when the status is changed to “No Show”

  2. That is a great addition Ike – in fact I’ve been working with a customer recently who has this issue and their HR system doesn’t seem to have any good way to signal it to us. There’s some concern that the HR system will pay the person for one day if they set termination date to the same as the start date, and it won’t let them set a termination date prior. I will add this to the table as it is clearly something that needs to be thought through, thanks!

  3. This is very good writeup, all IAM implementations will have similar kind of cases and you collated them and published it for reference. Appreciate the efforts Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *


*