{"id":2968,"date":"2016-11-18T03:18:23","date_gmt":"2016-11-18T03:18:23","guid":{"rendered":"https:\/\/www.wapshere.com\/missmiis\/?p=2968"},"modified":"2022-08-20T22:54:49","modified_gmt":"2022-08-20T22:54:49","slug":"iam-design-principals-lifecycle-events","status":"publish","type":"post","link":"https:\/\/www.wapshere.com\/missmiis\/iam-design-principals-lifecycle-events","title":{"rendered":"IAM Design Principle: Lifecycle Events"},"content":{"rendered":"<p>I&#8217;ve really been trying to improve my skills at capturing and writing up <a href=\"https:\/\/www.wapshere.com\/missmiis\/it-always-comes-back-to-requirements\">requirements<\/a> and one thing that helps is to list all the typical identity &#8220;lifecycle events&#8221;, along with:<\/p>\n<ul>\n<li>How to detect the event, and<\/li>\n<li>What to do when the event is detected.<\/li>\n<\/ul>\n<p>So for each target system I will have a table like the following. The &#8220;Lifecycle Events&#8221; I&#8217;ve listed I think are fairly universal. How you detect them (the &#8220;Trigger&#8221;), and what actions the IAM solution takes will of course be solution-specific. In some cases the IAM Solution&#8217;s action will be &#8220;none&#8221;, but that should still be documented.<br \/>\n<!--more--><\/p>\n<table border=\"1\">\n<tbody>\n<tr>\n<th><strong>Lifecycle Event<\/strong><\/th>\n<th><strong>Sub-stages<\/strong><\/th>\n<th><strong>Trigger (example)<\/strong><\/th>\n<th><strong>IAM Actions (example)<\/strong><\/th>\n<\/tr>\n<tr>\n<td><strong>On-board<\/strong><\/td>\n<td>Pre-start<\/p>\n<p>Start Date<\/td>\n<td>New person identity created in authoratative data source, with required minimum attributes.<\/td>\n<td>Pre-start:<\/p>\n<ul>\n<li>Provision User Account<\/li>\n<li>Provision account Artifacts (eg., mailbox, home folder)<\/li>\n<li>Assign default access<\/li>\n<\/ul>\n<p>Start Date:<\/p>\n<ul>\n<li>Enable account<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>Name change<\/strong><\/td>\n<td><\/td>\n<td>First name, Preferred First Name or Surname change detected in authoratative data source.<\/td>\n<td>\n<ul>\n<li>Change name attributes<\/li>\n<li>Generate new primary email address<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>Job change<\/strong><\/td>\n<td><\/td>\n<td>Job Title, Poisition Number or Business Unit changes detected in authoratative data source.<\/td>\n<td>\n<ul>\n<li>Change Job Title<\/li>\n<li>Change Business Unit-based groups<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>Manager change<\/strong><\/td>\n<td><\/td>\n<td>Manager change detected in authoratative data source.<\/td>\n<td>\n<ul>\n<li>Change manager attribute.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>Contact Details change<\/strong><\/td>\n<td><\/td>\n<td>Change to Address or Phone Number details in authoratative data source.<\/td>\n<td>\n<ul>\n<li>Change one or more of the following attributes based on the change in source data:\n<ul>\n<li>streetAddress<\/li>\n<li>postalConde<\/li>\n<li>country<\/li>\n<li>telephoneNumber<\/li>\n<li>&#8230;.<\/li>\n<\/ul>\n<\/li>\n<li>Change location-based distribution list.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>Suspension<\/strong><\/td>\n<td><\/td>\n<td>Length of time between LeaveStartDate and LeaveEndDate is greater than 90 days<\/p>\n<p>OR Suspended status is True.<\/td>\n<td>\n<ul>\n<li>Disable user account<\/li>\n<li>Add notes &#8220;Disabled by IAM on &lt;date&gt;&#8221;<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>Reactivation<\/strong><\/td>\n<td><\/td>\n<td>LeaveEndDate has passed<\/p>\n<p>AND Suspended status is False<\/p>\n<p>AND account currently disabled<\/td>\n<td>\n<ul>\n<li>Enable user account<\/li>\n<li>Add notes &#8220;Enabled by IAM on &lt;date&gt;&#8221;<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>Off-board<\/strong><\/td>\n<td>Deactivation<\/p>\n<p>Archive<\/td>\n<td>Termination Date from authoratative data source has passed.<\/td>\n<td>At the end of the termination day:<\/p>\n<ul>\n<li>Disable user account,<\/li>\n<li>Moved to &#8220;Disabled Users&#8221; OU,<\/li>\n<li>Add notes &#8220;Disabled by IAM on &lt;date&gt;&#8221;<\/li>\n<\/ul>\n<p>90 days after termination day:<\/p>\n<ul>\n<li>Remove all group memberships,<\/li>\n<li>Archive mailbox,<\/li>\n<li>Archive home folder.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>Re-hire\/Return<\/strong><\/td>\n<td>Before Archive<\/p>\n<p>After Archive<\/td>\n<td>Existing person with an existing disabled user account has a passed start date, and a future or no termination date.<\/td>\n<td>Before Archive:<\/p>\n<ul>\n<li>Enable account,<\/li>\n<li>Add any default groups based on new position (if applicable).<\/li>\n<\/ul>\n<p>After Archive (in addition):<\/p>\n<ul>\n<li>Create new mailbox,<\/li>\n<li>Create new home folder.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>No Show<\/strong><\/td>\n<td><\/td>\n<td>Start date = Termination date.<\/td>\n<td>Disable and Archive account.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve really been trying to improve my skills at capturing and writing up requirements and one thing that helps is to list all the typical identity &#8220;lifecycle events&#8221;, along with: How to detect the event, and What to do when the event is detected. So for each target system I will have a table like&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":[]},"categories":[55],"tags":[],"class_list":["post-2968","post","type-post","status-publish","format-standard","hentry","category-best-practice"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pkp1o-LS","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2968","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/comments?post=2968"}],"version-history":[{"count":8,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2968\/revisions"}],"predecessor-version":[{"id":3270,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/posts\/2968\/revisions\/3270"}],"wp:attachment":[{"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/media?parent=2968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/categories?post=2968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wapshere.com\/missmiis\/wp-json\/wp\/v2\/tags?post=2968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}