Reactivate permanently deactivated employees
Employees who are permanently deactivated can be re-enabled if they were not disabled by certification.
To reactivate an employee
In the Manager, select the Employees > Inactive employees category.
Select the employee in the result list.
Select the Reactivate employee task.
Confirm the security prompt with Yes if the employee should be enabled.
On the main data form for the employee, the Permanently deactivated option is not set. The end date and last working day are deleted assuming the dates are past.
- Save the changes.
Deferred deletion of employees
When an employee is deleted, they are tested to see if user accounts and company resources are still assigned, or if there are still pending requests in the IT Shop. The employee is marked for deletion and therefore locked out of further processing. Before an employee can finally be deleted from the One Identity Manager database, you need to delete all company resource assignments and close all requests. You can do this manually or implement custom processes to do it. All the user accounts linked to one employee could be deleted by default by One Identity Manager once this employee has been deleted. If no more company resources are assigned, the employee is finally deleted.
By default, employees are finally deleted from the database after 30 days. During this period it is possible to re-enable the employee. A restore is not possible once deferred deletion has expired.
In the Designer, you can set an alternative delay on the Person table. For more information on configuring the deferred deletion, refer to the One Identity Manager Configuration Guide.
Deleting all employee related data
A procedure called QER_PPersonDelete_GDPR is provided to support the special process for deleting employee related data, which implements the General Data Protection Regulation (GDPR) of the European Union. You can use this procedure to delete all data relating to an employee from the One Identity Manager database. For certain dependencies, processes that are handled by the One Identity Manager Service are created by the procedure.
NOTE: While this procedure is running, the database does not allow any triggers. Therefore, it is recommended to only run the procedure in maintenance periods.
You can run the procedure in any program suitable for running SQL queries.
exec QER_PPersonDelete_GDPR ' <employee UID from the Person table, UID_Person column>'
NOTE: Personal data may be subject to further regulations such as legal retention periods. Personal data from the One Identity Manager History Database is not automatically deleted by default because of this. It is recommended to operate One Identity Manager History Databases that correspond to the report periods. After a specified reporting period has expired, you can set up a new One Identity Manager History Database. You set up custom processes for deleting personal data.
Limited access to One Identity Manager
NOTE: This function is only available if the Attestation Module is installed.
Users who only have temporary or limited access to the One Identity Manager can log in through the Web Portal. This functionality can be used, for example, if external employees, such as contract workers, should be provided with temporary access to the One Identity Manager. These employee can log in to the Web Portal as new workers. New employee objects are added for them in the One Identity Manager database.
If you make use of this functionality, take note of the following:
In One Identity Manager, an employee with the following properties is created:
If the QER | Attestation | UserApproval configuration parameter is set, the new employee is attested automatically.
To assign company resources to the employee or to ensure permissions in One Identity Manager, implement custom processes.
For more information about attestation, see the One Identity Manager Attestation Administration Guide.