What are lifecycle states and how do I work with them?

1. Go to Identities > Identity Profile.

2. Click the identity profile you want to edit.

3. Click Provisioning.

On the left, you will see tabs for Active and Inactive, the default lifecycle states.

4. Click Add.

5. In Add New Lifecycle State, type the name of your new lifecycle state.

The technical name appears below. Letters you type in the display name that are preceded by a space are capitalized in the technical name.

NOTES:

• The technical name is case sensitive. It can be used in scripts related to system behavior. This is also the required value in flat file sources when the user moves into this state.
• This field does not accept special characters.

6. Click OK.

Your new lifecycle state appears in the list on the left, which is sorted in alphabetical order. You can see the number of identities in each lifecycle state to the right of its name.

Best Practice: To ensure that the provisioning behavior works as expected from start to finish, disable the lifecycle state while you're making changes. You can do this by clearing the Enabled checkbox on the lifecycle state. The number of identities in each lifecycle state will display as 0.

Complete the following steps:

1. Click the lifecycle state you want to configure or edit.

2. To specify which sources a Maintain, Enable or Disable action should be applied to for each lifecycle state, select one of the following options in Settings for Previous Accounts:

• Maintain Status - This maintains the status quo for the user's current set of accounts. Essentially, this option has no net action. For example, if a user is on a leave of absence, they might keep their current accounts.

If you previously configured changes for a lifecycle state, selecting Maintain Status and clicking Save will remove those changes.

• Configure Changes - Selecting this option makes the Account Configuration Options panel available where you can select to Enable or Disable accounts:
  • Enable Accounts - If the user has any account access that is already disabled, moving them into the new state returns their account to a normal enabled state. For example, if a user moves from pre-hire to active, their access to your company's HR portal and expense reporting software might get activated.
  • Disable Accounts - This disables accounts which might not be in a currently disabled state. This might be applicable if an identity gets terminated and their accounts need to be disabled from further use.

NOTES:

• Selecting one or both of these Account Configuration Options makes the corresponding Source Accounts to Enable/Disable panels available where you can further fine tune your lifecycle states on a per-source basis.
• These settings affect only the status of the user's accounts. With deprovisioning, any access profiles that were granted to a user in a previous lifecycle state are always automatically revoked when the user moves to the new lifecycle state. Entitlements assigned to those accounts are determined exclusively by the access profiles in the Access Profiles to Apply panel.
• If you add a new source, you will also have to explicitly add the desired Enable/Disable actions for any lifecycle state changes.

3. Enable or disable specific source accounts

In the Source Accounts to Enable/Disable panels you can select, add, and remove specific sources in your organization as follows:

a. In the Available sources field, search or click V to see a list of available sources that support Enable/Disable account actions.

b. Select a source, and click +Add to add it or X to remove it.

NOTES:

• If a source is not explicitly selected, then this assumes that no action is taken for the source when a user enters the lifecycle state.
• If all sources are removed from the Source Accounts to Enable/Disable panels, then the checkbox selection of the corresponding Enable/Disable Accounts option will be removed.
• Due to browser limitations, administrators can configure Enable or Disable actions on a combined total of 40 sources in the UI. You can use IdentityNow REST APIs to configure more than 40 sources if needed, however these will only be manageable via API. For assistance, contact Expert Services.
• If you wish to return to using the UI after configuring more than 40 sources in the API, you must do one of the following to reduce the number of sources with configured actions to less than 40:
  • Use the API to reduce the number of sources.
  • Select Maintain Status and click Save to remove all sources from the Enable/Disable lists for that lifecycle state.

4. Add one or more access profiles to the Access Profiles to Grant panel by searching for applicable access profiles in Add Access Profile.

NOTES:

• This list only contains access profiles associated with sources that have the Provisioning flag enabled in the source's Config tab.
• You can either type all or part of an access profile name to search for a specific access profile. You can also click in the field to see all access profiles in IdentityNow.
• Best Practice: Only assign an access profile to either a lifecycle state or a role. Assigning the same access profile to both can cause problems with provisioning.

CAUTION: With deprovisioning, only access profiles specified here are granted to users in this lifecycle state.Therefore, if you want to maintain any entitlements across multiple lifecycle states, you'll need to grant them in each. For example, if you grant someone building access in the Active state and you want them to maintain building access while they are in On Leave, you'll need to include that access in both Active and On Leave.

5. Under Email Notification List, optionally select any or all of the following:

• Manager - The user's manager receives an email notifying them of the identity's lifecycle state change.
• All Admins - Every user in your IdentityNow site with administrator permissions receives the notification email.
• Specific Users - The system sends notifications to the specific email addresses you list.

NOTE: You can add more fields for email addresses by clicking Add and remove email addresses by clicking the ​X icon next to the field.

Configure email notifications if you want to notify anyone when an employees' state changes. For example, a user's manager might need to know when they become active within your IdentityNow system.

NOTE: This email is fully customizable. Click here for the default email template.

Best Practice: Test lifecycle states in your sandbox environment before enabling them in production.

1. In the Admin interface, go to Identities > Identity List.

2. Click the identity you want to edit.

3. Under Overview, click the Actions icon next to the Lifecycle State.

4. Click the lifecycle state you are moving the user to.

NOTE: The Action icon is disabled while IdentityNow processes your change. This could take some time to process. While you're waiting, you can perform other identity governance tasks, although you should avoid making changes to the identity that are dependent on a specific lifecycle state.

The lifecycle state changes to match what you selected and the method changes to Manual.

1. In the Admin interface, go to Identities > Identity Profiles.

2. Click the identity profile you want to edit.

3. Under Invitation Options, select one of the automatic invitation options.

4. Under Send at Lifecycle State, select a lifecycle state.

NOTE: Only lifecycle states that have been enabled are displayed. If no lifecycle state has been enabled, this field is hidden.

If you see an access profile in the list that is disabled and labeled with the message "Source provisioning not enabled" you cannot apply it to the lifecycle state.

This is because Provisioning check box on the underlying source has not been selected.

To resolve this, you can go to the related source's Config tab and select Provisioning in the Used For panel.