A lifecycle state is IdentityNow's way of describing an employee's status within a company. For example, if you've hired a new employee but they haven't started yet, they might be in a pre-hire state in your system as you prepare their accounts. When an employee's status at your company changes, there are typically changes to their accounts in the various systems they have access to. For example, if an employee moves from pre-hire to active, they might be granted new access. If you have Provisioning enabled for your org, IdentityNow can automatically make those access changes for that user. IT and other departments can do certain preliminary work to set up users' access to various systems so that on the user's start date, they have the appropriate entitlements on those systems immediately.
These settings are unique to specific identity profiles, which means that you can define a separate set of lifecycle states and access rights for contractors, employees, partners, remote workers, and various other populations within your workforce.
In addition, the actual response the system has to these settings depends on the type of source the accounts belong to. Some sources, such as Active Directory, support automatic provisioning of accounts and entitlements. Other sources create tasks on the source owner's Task Manager that remind that person to manually perform the specified action.
You can use the Provisioning tab on an identity profile to define the various lifecycle states a typical employee might experience and how IdentityNow manages their access to apps and sources based on those states.
See the following sections for more information:
Prerequisites:
Complete the following steps:
1. Go to Identities > Identity Profile. 2. Click the identity profile you want to edit. 3. Click Provisioning. On the left, you will see tabs for Active and Inactive, the default lifecycle states. 4. Click Add. |
![]() |
5. In Add New Lifecycle State, type the name of your new lifecycle state. The technical name appears below. Letters you type in the display name that are preceded by a space are capitalized in the technical name. NOTES:
6. Click OK. |
![]() |
Your new lifecycle state appears in the list on the left, which is sorted in alphabetical order. You can see the number of identities in each lifecycle state to the right of its name. |
Prerequisite: Be familiar with your organization's various sources and their capabilities.
Best Practice: To ensure that the provisioning behavior works as expected from start to finish, disable the lifecycle state while you're making changes. You can do this by clearing the Enabled checkbox on the lifecycle state. The number of identities in each lifecycle state will display as 0. Complete the following steps: 1. Click the lifecycle state you want to configure or edit. |
![]() |
2. To specify which sources a Maintain, Enable or Disable action should be applied to for each lifecycle state, select one of the following options in Settings for Previous Accounts:
If you previously configured changes for a lifecycle state, selecting Maintain Status and clicking Save will remove those changes.
|
![]() |
NOTES:
3. Enable or disable specific source accounts In the Source Accounts to Enable/Disable panels you can select, add, and remove specific sources in your organization as follows: a. In the Available sources field, search or click V to see a list of available sources that support Enable/Disable account actions. b. Select a source, and click +Add to add it or X to remove it. NOTES:
|
|
4. Add one or more access profiles to the Access Profiles to Grant panel by searching for applicable access profiles in Add Access Profile. NOTES:
CAUTION: With deprovisioning, only access profiles specified here are granted to users in this lifecycle state.Therefore, if you want to maintain any entitlements across multiple lifecycle states, you'll need to grant them in each. For example, if you grant someone building access in the Active state and you want them to maintain building access while they are in On Leave, you'll need to include that access in both Active and On Leave. |
![]() |
5. Under Email Notification List, optionally select any or all of the following:
NOTE: You can add more fields for email addresses by clicking Add and remove email addresses by clicking the X icon next to the field. Configure email notifications if you want to notify anyone when an employees' state changes. For example, a user's manager might need to know when they become active within your IdentityNow system. |
![]() |
NOTE: This email is fully customizable. Click here for the default email template. Best Practice: Test lifecycle states in your sandbox environment before enabling them in production. |
![]() |
If you want users to be moved to lifecycle states automatically, open a support ticket to configure a transform so that users who meet the criteria in the transform can be moved into this Lifecycle state.
6. Enable the lifecycle state and click Save.
You can move users into lifecycle states automatically or manually.
You can configure your implementation of IdentityNow to recognize certain attributes within your source and use them to determine the lifecycle state. When those attributes are updated during an aggregation, the user's lifecycle state changes automatically.
You can see an identity's lifecycle state on their identity page. These might include the following:
You can open a support ticket to configure transforms for these attributes if you need to use more than one attribute to calculate a lifecycle state.
You might want to manually change a user's lifecycle state if they have changed positions or left the company and your authoritative source has not yet been updated. Changing a user's lifecycle state manually will keep the user in that state until the source changes, even if you run an aggregation.
When a user's lifecycle state changes because of an aggregation or change in source data, the method on their Overview sets to Automatic. If a user's lifecycle state changes because an admin manually selects it, the method changes to Manual.
CAUTION: The manual setting is applicable as long as the underlying value on the source doesn't change. As soon as the value on the source changes, the Lifecycle State field gets reset to an automatic value. For example, if Joe Smith is set to Active (Automatic), you can manually change him to Inactive (Manual). If the source value changes from Active to On Leave, the value in IdentityNow will change to On Leave (Automatic).
Complete the following steps:
1. In the Admin interface, go to Identities > Identity List. 2. Click the identity you want to edit. 3. Under Overview, click the Actions icon next to the Lifecycle State. 4. Click the lifecycle state you are moving the user to. NOTE: The Action icon is disabled while IdentityNow processes your change. This could take some time to process. While you're waiting, you can perform other identity governance tasks, although you should avoid making changes to the identity that are dependent on a specific lifecycle state. The lifecycle state changes to match what you selected and the method changes to Manual. |
![]() |
You can configure IdentityNow to automatically send invitations to a user when they enter any lifecycle state.
For example, if you have a Pre-Hire lifecycle state used for preparing a user's accounts before their start date, when the user moves into the Active lifecycle state on their start date, the system can automatically send the invitation based on your selections.
Complete the following steps:
1. In the Admin interface, go to Identities > Identity Profiles. 2. Click the identity profile you want to edit. 3. Under Invitation Options, select one of the automatic invitation options. 4. Under Send at Lifecycle State, select a lifecycle state. NOTE: Only lifecycle states that have been enabled are displayed. If no lifecycle state has been enabled, this field is hidden. |
![]() |
5. Click Save.
Whenever any of your users enter that lifecycle state, an invitation is sent to that user at the email address or addresses you selected within about an hour, depending on the number of jobs in the queue.
When you configure a lifecycle state on an identity profile, you can select access profiles to apply to identities when they enter that state.
If you see an access profile in the list that is disabled and labeled with the message "Source provisioning not enabled" you cannot apply it to the lifecycle state. This is because Provisioning check box on the underlying source has not been selected. |
![]() |
To resolve this, you can go to the related source's Config tab and select Provisioning in the Used For panel. |
An identity can move from one identity profile to another. If this occurs, the provisioning actions are determined by the new identity profile.
For example, your highest priority identity profile might be an Active Directory authoritative source and a lower priority flat file source.
In the flat file source, if you change an identity's lifecycle state in a way that causes an Active Directory account to be provisioned for them, the identity will move from the flat file identity profile to the Active Directory identity profile.
This means that any changes you make to that person's lifecycle state in the flat file will no longer have any impact on provisioning for them. Only changes that occur to the Active Directory lifecycle state attribute will impact the identity going forward.