Chat now with support
Chat with Support

Identity Manager 8.2.1 - Target System Base Module Administration Guide

Basic mechanisms for employee and user account administration The Unified Namespace

Temporarily deactivating employees

The employee has temporarily left the company and is expected to return at a predefined date. The desired course of action could be to disable the user account and remove all group memberships. Or the user accounts could be deleted and reestablished with the employee's return, even if it is with a new system identification number (SID).

Temporary disabling of an employee is triggered by:

  • TheTemporary disabled option

  • The start and end date for deactivation (Temporary disabled from and Temporary disabled until)

NOTE:

  • Configure the Lock accounts of employees that have left the company schedule in the Designer. This schedule checks the start date for disabling and sets the Temporarily disabled option when it is reached.

  • In the Designer, configure the Enable temporarily disabled accounts schedule. This schedule monitors the end date of the disabled period and enables the employee with their user accounts when the date expires. Employee's user accounts that were disabled before the period of temporary absence are also re-enabled once the period has expired.

Scenario: user accounts are linked to employees and are managed through account definitions.

  • Specify in the account definitions, how temporary disabling of an employee affects the user account.

Scenario: user accounts are linked to employees. No account definition is applied.

  • Specify the desired behavior using the QER | Person | TemporaryDeactivation configuration parameter. If the configuration parameter is set, the employee's user accounts are locked if the employee is permanently or temporarily disabled. If the configuration parameter is not set, the employee's properties do not have any effect on the associated user accounts.

Related topics

Permanently deactivating employees

Employees can be deactivated permanently when, for example, they leave the company. It might be necessary, to remove access to this employee's entitlements in connected target systems and their company resources.

Effects of permanent deactivating an identity are:

  • The employee cannot be assigned to employees as a manager.

  • The employee cannot be assigned to roles as a supervisor.

  • The employee cannot be assigned to attestation policies as an owner.

  • There is no inheritance of company resources through roles, if the additional No inheritance option is set for an employee.

  • Employee user accounts are locked or deleted and then removed from group memberships.

Trigger permanent deactivation through:

  • The Deactivate employee permanently task

    This task ensures that the Permanently deactivates option is enabled and the leaving date and last working day are set to the current date.

  • The leaving date is reached

    NOTE:

    • In the Designer, check the Lock accounts of employees that have left the company schedule. This schedule regularly checks the leaving date and sets the Permanently deactivated option on reaching the date.

    • The Re-enable employee task ensures that the employee is re-enabled.

  • The Denied certification status

    If an employee's certification status is set to Denied manually or as a result of attestation, the employee is immediately permanently deactivated. When the employee's certification status is changed to Certified, the employee is activated again.

    NOTE: This function is only available if the Attestation Module is installed.

Scenario: user accounts are linked to employees and are managed through account definitions.

  • Specify in the account definitions, how temporary deactivating of an employee affects the user account.

Scenario: user accounts are linked to employees. No account definition is applied.

  • Specify the desired behavior using the QER | Person | TemporaryDeactivation configuration parameter. If the configuration parameter is set, the employee's user accounts are locked if the employee is permanently or temporarily deactivated. If the configuration parameter is not set, the employee's properties do not have any effect on the associated user accounts.

Related topics

Deferred deletion of an employee

When an employee is deleted, they are tested to see if user accounts and company resources are still assigned, or if there are still pending requests in the IT Shop. The employee is marked for deletion and therefore locked out of further processing. Before an employee can finally be deleted from the One Identity Manager database, you need to delete all company resource assignments and close all requests. You can do this manually or implement custom processes to do it. All the user accounts linked to one employee could be deleted by default by One Identity Manager once this employee has been deleted. If no more company resources are assigned, the employee is finally deleted.

Scenario: user accounts are linked to employees and are managed through account definitions.

  • Specify in the account definitions, how deletion of an employee affects their user accounts. The user accounts can be locked or enabled for the period that deletion is deferred. In any case, the user accounts are deleted from the One Identity Manager database once the deferred deletion period has expired.

Scenario: user accounts are linked to employees. No account definition is applied.

  • Implement custom processes to delete linked user accounts. The employee stays marked for deletion until all user accounts are deleted and assignments to company resources have been removed. The user accounts remain enabled with deferred deletion until they are physically deleted.
Related topics

Disabling and deleting using account definitions

If user accounts are managed through account definitions, you can specify the desired behavior for handling user accounts and group memberships through account definitions and manage levels for temporary disabling, permanent disabling, deletion, and security risk to employees.

You can define special handling for each target system belonging to a target system type, through the relationship between the target system and account definition. For more information, see Using account definitions to create user accounts.

You can configure the following behavior:

  1. Assigning account definitions to employees

    The effects on account definition inheritance of temporary disabling, permanent disabling, deletion, and security risk to employees is specified for each account definition. The settings of previous account definitions are overwritten.

    You may want employees that are disabled or marked for deletion to inherit account definitions to ensure that all necessary permissions are made immediately available when the employee is reactivated at a later time.

    IMPORTANT: As long as an account definition applies to an employee, this employee keeps its linked user accounts. If the account definition assignment no longer applies, the user account created through this account definition is deleted.

    The following user account definition options are available for mapping behavior.

    Table 6: Main data of an account definition for the assignment behavior of the account
    Property Description

    Retain account definition if permanently disabled

    Specifies the account definition assignment to permanently deactivated employees.

    Option set: the account definition assignment remains in effect. The user account stays the same.

    Option not set: the account definition assignment is not in effect. The associated user account is deleted.

    Retain account definition if temporarily disabled

    Specifies the account definition assignment to temporarily deactivated employees.

    Option set: the account definition assignment remains in effect. The user account stays the same.

    Option not set: the account definition assignment is not in effect. The associated user account is deleted.

    Retain account definition on deferred deletion

    Specifies the account definition assignment on deferred deletion of employees.

    Option set: the account definition assignment remains in effect. The user account stays the same.

    Option not set: the account definition assignment is not in effect. The associated user account is deleted.

    Retain account definition on security risk

    Specifies the account definition assignment to employees posing a security risk.

    Option set: the account definition assignment remains in effect. The user account stays the same.

    Option not set: the account definition assignment is not in effect. The associated user account is deleted.

  2. Handling user accounts and employees

    The effects on user accounts of temporary disabling, permanent deactivating, deletion, and security risk of an employee is specified for each manage level.

    In order to remove permissions from an employee when they are being deactivated or deleted, the employee’s user accounts can be locked. If the employee is reinstated at a later date, the user accounts are also reactivated.

    The following options are available for each manage level on an account definition for handling user accounts.

    Table 7: Main data for a manage level for handling user accounts
    Property Description

    Lock user accounts if temporarily disabled

    Specifies whether user accounts of temporarily deactivated employees are locked.

    Lock user accounts if permanently disabled

    Specifies whether user accounts of permanently deactivated employees are locked.

    Lock user accounts if deletion is deferred

    Specifies whether user accounts of employees marked for deletion are locked.

    Lock user accounts if security is at risk

    Specifies whether user accounts of employees posing a security risk are locked.

  3. Inheritance of group memberships by the employee's user accounts

    The effects on user accounts of temporary deactivation, permanent deactivation, deletion, and security risk of an employee is specified for each manage level.

    If an employee is deactivated or marked for deletion, inheritance of groups memberships can be suppressed for the account definition target system. You might want this behavior if an employee's user accounts and mailboxes are locked and therefore cannot be included in distribution lists. During this deactivation period, no inheritance processes should be calculated for this employee. Existing group memberships are deleted.

    The following options are available for each manage level on an account definition for handling group memberships.

    Table 8: Master data of a manage level for handling group memberships
    Property Description

    Retain groups if temporarily disabled

    Specifies whether user accounts of temporarily deactivated retain their group memberships.

    Retain groups if permanently disabled

    Specifies whether user accounts of permanently deactivated employees inherit group memberships.

    Retain groups on deferred deletion

    Specifies whether user accounts of employees marked for deletion retain their group memberships.

    Retain groups on security risk

    Specifies whether user accounts of employees posing a security risk retain their group memberships.

    Retain groups if user account disabled

    Specifies whether disabled user accounts retain their group memberships.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating