Permanently Deactivating Employees
Employees can be disabled permanently when, for example, they leave the company. It might be necessary, to remove access to this employee’s entitlements in connected target systems and their company resources.
Effects of permanent disabling of an employee are:
- The employee cannot be assigned to employees as a manager.
- The employee cannot be assigned to roles as a supervisor.
- The employee cannot be assigned to attestation policies as an owner.
- There is no inheritance of company resources through roles, if the additional option No inheritance is set for an employee.
- Employee user accounts are locked or deleted and then removed from group memberships.
Trigger permanent disabling through:
- The task Disable employee permanently
This task ensures that the option Permanently disabled is set and leaving date and the last day of work are set to the current date.
- Leave date reached
NOTE: Configure and enable the schedule "Lock accounts of employees that have left the company" in the Designer. This schedule regularly checks the leaving date and sets the option Permanently disabled on reaching the date. NOTE: The task Re-enable employee ensures that the employee is re-enabled. - Certification status "Denied"
An employee is permanently disabled when their certification status is set to "Denied" either through attestation or manually. If the employee's certification status is changed to "certified", the employee is activated again.
NOTE: This function is only available if the Attestation Module is installed.
Related Topics
- Temporarily Deactivating Employees
- Deferred Deletion of Employees
- Re-enable an Employee
- Changing the Certification Status of an Employee
Re-enable an Employee
Employees who are permanently deactivated can be re-enabled if they were not disabled by certification.
To re-enable an employee
- Select the category Employees | Inactive employees.
- Select the employee in the result list.
- Select Re-enable employee in the task view.
An alert appears.
- Confirm the security prompt with Yes if the employee should be enabled. Otherwise close the alert with No.
The option Disabled permanently is enabled on the employee’s master data form. The leaving date and last working day are deleted.
- Save the changes.
Related Topics
Deferred Deletion of Employees
When an employee is deleted, they are tested to see if user accounts and company resources are still assigned, or if there are still pending requests in the IT Shop. The employee is marked for deletion and therefore locked out of further processing. Before an employee can finally be deleted from the One Identity Manager database, you need to delete all company resource assignments and close all requests. You can do this manually or implement custom processes to do it. All the user accounts linked to one employee could be deleted by default by the One Identity Manager once this employee has been deleted. If no more company resources are assigned, the employee is finally deleted.
By default, employees are finally deleted from the database after 30 days. During this period it is possible to re-enable the employee. A restore is not possible once the delete delay has expired. You can configure an alternative deletion delay on the table Person in the Designer.
Related Topics
Assigning Company Resources to Employees
One Identity Manager uses different assignment types to assign company resources.
- Indirect Assignment
In the case of indirect assignment of company resources, employees, devices and workdesks are arranged in departments, cost centers, locations, business roles or application roles. The total of assigned company resources for an employee, device or workdesk is calculated from the position within the hierarchies, the direction of inheritance (top-down or bottom-up) and the company resources assigned to these roles. In the Indirect assignment methods a difference between primary and secondary assignment is taken into account.
- Direct Assignment
Direct assignment of company resources results from the assignment of a company resource to an employee, device or a workdesk, for example. Direct assignment of company resources makes it easier to react to special requirements.
- Assigning through Dynamic Roles
Assignment through dynamic roles is a special case of indirect assignment. Dynamic roles are used to specify role memberships dynamically. Employees, devices and workdesks are not permanently assigned to a role, just when they fulfill certain conditions. A check is performed regularly to assess which employees, devices or workdesks fulfill these conditions. The means the role memberships change dynamically. For example, company resources can be assigned dynamically to all employees
- Assigning through IT Shop Requests
Assignment through the IT Shop is a special case of indirect assignment. Add employees to a shop as customers so that company resources can be assigned through IT Shop requests. All company resources assigned as product to this shop can be requested by the customers. Requested company resources are assigned to the employees after approval is granted. Role memberships can be requested through the IT Shop as well as company resources.
The following table shows the possible company resources assignments to employees.
|
|
Note: Company resources are defined in the One Identity Manager modules and are not available until the modules are installed. |
| Company Resource | Direct assignment permitted | Indirect assignment permitted | Comment |
|---|---|---|---|
|
Resources |
+ | + |
|
|
System roles |
+ | + |
|
|
Subscribable reports |
+ | + |
|
|
Applications |
+ | + | |
| Account definitions | + | + | |
|
Groups of custom target systems |
- | + |
All the employee's user accounts are added to the associated application group, which permit application inheritance. |
|
Active Directory groups |
- | + |
All the employee's Active Directory user accounts and Active Directory contacts are added to Active Directory groups, which permit group inheritance. |
|
SharePoint groups |
- | + |
All the employee's SharePoint user accounts are added to SharePoint groups. |
|
SharePoint roles |
- | + |
All the employee's SharePoint user accounts are added to SharePoint roles. |
|
LDAP groups |
- | + |
All the employee's LDAP user accounts, which permit group inheritance, are added to LDAP groups. |
|
Notes groups |
- | + |
All the employee's Notes user accounts are added to Notes groups. |
|
SAP groups |
+ | + |
All the employee's SAP user accounts, which are in the same SAP clients, are added to SAP groups. |
|
SAP profiles |
+ | + |
All the employee's SAP user accounts, which are in the same SAP clients, are added to SAP profiles. |
|
SAP roles |
+ | + |
All the employee's SAP user accounts, which are in the same SAP clients, are added to SAP roles. |
|
Structural profiles |
- | + |
All the employee's SAP user accounts, which are in the same SAP clients, are added to structural profiles. |
|
BI analysis authorizations |
- | + |
All the employee's BI user accounts, which are in the same system, obtain BI analysis authorizations. |
|
E-Business Suite entitlements |
- | + |
All the employee's E-Business Suite user accounts, which are in the same E-Business Suite system and for which group inheritance is permitted, are added to E-Business Suite groups. |
|
Azure Active Directory groups |
- | + |
All the employee's Azure Active Directory user accounts, which permit group inheritance, are added to Azure Active Directory groups. |
|
Azure Active Directory administrator roles |
- | + |
All the employee's Azure Active Directory user accounts, which permit group inheritance, are added to Azure Active Directory administrator roles. |
|
Azure Active Directory subscriptions |
- |
+ |
All the employee's Azure Active Directory user accounts, which permit group inheritance, are given Azure Active Directory subscriptions. |
|
Disabled Azure Active Directory service plans |
- |
+ |
All the employee's Azure Active Directory user accounts, which permit group inheritance, are given Azure Active Directory service plans. |
|
Unix groups |
- |
+ |
All the employee's Unix user accounts, which permit group inheritance, are added to Unix groups. |
Detailed information about this topic
- Basics for Assigning Company Resources
- Permit Assignments of Employees, Devices, Workdesks and Company Resources
Related Topics
- Possible Assignments of Company Resources through Roles
- Assigning Employees to Departments, Cost Centers and Locations
- Assigning Employees to Business Roles
- Assigning Employees, Devices and Workdesks to Departments, Cost Centers and Locations
- Assigning Company Resources to Departments, Cost Centers and Locations
- Working with Dynamic Roles