I’ve really been trying to improve my skills at capturing and writing up requirements and one thing that helps is to list all the typical identity “lifecycle events”, along with:
- How to detect the event, and
- What to do when the event is detected.
So for each target system I will have a table like the following. The “Lifecycle Events” I’ve listed I think are fairly universal. How you detect them (the “Trigger”), and what actions the IAM solution takes will of course be solution-specific. In some cases the IAM Solution’s action will be “none”, but that should still be documented.
| Lifecycle Event | Sub-stages | Trigger (example) | IAM Actions (example) |
|---|---|---|---|
| On-board | Pre-start
Start Date |
New person identity created in authoratative data source, with required minimum attributes. | Pre-start:
Start Date:
|
| Name change | First name, Preferred First Name or Surname change detected in authoratative data source. |
|
|
| Job change | Job Title, Poisition Number or Business Unit changes detected in authoratative data source. |
|
|
| Manager change | Manager change detected in authoratative data source. |
|
|
| Contact Details change | Change to Address or Phone Number details in authoratative data source. |
|
|
| Suspension | Length of time between LeaveStartDate and LeaveEndDate is greater than 90 days
OR Suspended status is True. |
|
|
| Reactivation | LeaveEndDate has passed
AND Suspended status is False AND account currently disabled |
|
|
| Off-board | Deactivation
Archive |
Termination Date from authoratative data source has passed. | At the end of the termination day:
90 days after termination day:
|
| Re-hire/Return | Before Archive
After Archive |
Existing person with an existing disabled user account has a passed start date, and a future or no termination date. | Before Archive:
After Archive (in addition):
|
| No Show | Start date = Termination date. | Disable and Archive account. |
Very good post Carol. Really captures the complexity of connecting an HR Feed to MIM. One item I did not see (and also not on your post of 11/16) is “No Show” state which is for when someone who has accepted a job offer and does not show up or later turns down the offer. I have connected HR systems from all parts of the globe and I know certain countries where this No Show is a common event, an average of 20% of accepted offers do not show such that you have to factor this into your MIM design. There are certain countries where it is a zero factor because of the prevalent culture of honor your word. I won’t name any countries on either side. I have seen the “No Show” in some HR systems and actually it is one of status options in WorkDay.
Generally one has to configure MIM to cleanup all the items created when the status is changed to “No Show”
That is a great addition Ike – in fact I’ve been working with a customer recently who has this issue and their HR system doesn’t seem to have any good way to signal it to us. There’s some concern that the HR system will pay the person for one day if they set termination date to the same as the start date, and it won’t let them set a termination date prior. I will add this to the table as it is clearly something that needs to be thought through, thanks!
This is very good writeup, all IAM implementations will have similar kind of cases and you collated them and published it for reference. Appreciate the efforts Thanks