What are lifecycle states and how do I work with them?

What are lifecycle states and how do I work with them?

A lifecycle state is IdentityNow's way of describing an employee's status within a company. For example, if you've hired a new employee but they haven't started yet, they might be in a pre-hire state in your system as you prepare their accounts. When an employee's status at your company changes, there are typically changes to their accounts in the various systems they have access to. For example, if an employee moves from pre-hire to active, they might be granted new access. If you have Provisioning enabled for your org, IdentityNow can automatically make those access changes for that user. IT and other departments can do certain preliminary work to set up users' access to various systems so that on the user's start date, they have the appropriate entitlements on those systems immediately.

These settings are unique to specific identity profiles, which means that you can define a separate set of lifecycle states and access rights for contractors, employees, partners, remote workers, and various other populations within your workforce.

In addition, the actual response the system has to these settings depends on the type of source the accounts belong to. Some sources, such as Active Directory, support automatic provisioning of accounts and entitlements. Other sources create tasks on the source owner's Task Manager that remind that person to manually perform the specified action.

You can use the Provisioning tab on an identity profile to define the various lifecycle states a typical employee might experience and how IdentityNow manages their access to apps and sources based on those states.

See the following sections for more information:

 

Creating a New Lifecycle State

Prerequisites:

  • You must have at least one access profile and at least one identity profile
  • The Provisioning feature must be turned on and set up for your org
  • Ensure that the user has a valid email address in the authoritative source


Complete the following steps:

1. Go to Identities > Identity Profile.

2. Click the identity profile you want to edit.

3. Click Provisioning.

On the left, you will see tabs for Active and Inactive, the default lifecycle states.

4. Click Add.

lcs2.png

5. In Add New Lifecycle State, type the name of your new lifecycle state.

The technical name appears below. Letters you type in the display name that are preceded by a space are capitalized in the technical name.

NOTES:

  • The technical name is case sensitive. It can be used in scripts related to system behavior. This is also the required value in flat file sources when the user moves into this state.
  • This field does not accept special characters.

6. Click OK.

lcs6.png

Your new lifecycle state appears in the list on the left, which is sorted in alphabetical order. You can see the number of identities in each lifecycle state to the right of its name.

 

 

Configuring a Lifecycle State

Prerequisite: Be familiar with your organization's various sources and their capabilities.

 

Best Practice: To ensure that the provisioning behavior works as expected from start to finish, disable the lifecycle state while you're making changes. You can do this by clearing the Enabled checkbox on the lifecycle state. The number of identities in each lifecycle state will display as 0.

Complete the following steps:

1. Click the lifecycle state you want to configure or edit.

lcs1.png

2. To specify which sources a Maintain, Enable or Disable action should be applied to for each lifecycle state, select one of the following options in Settings for Previous Accounts:

  • Maintain Status - This maintains the status quo for the user's current set of accounts. Essentially, this option has no net action. For example, if a user is on a leave of absence, they might keep their current accounts.

If you previously configured changes for a lifecycle state, selecting Maintain Status and clicking Save will remove those changes.

  • Configure Changes - Selecting this option makes the Account Configuration Options panel available where you can select to Enable or Disable accounts:
    • Enable Accounts - If the user has any account access that is already disabled, moving them into the new state returns their account to a normal enabled state. For example, if a user moves from pre-hire to active, their access to your company's HR portal and expense reporting software might get activated.
    • Disable Accounts - This disables accounts which might not be in a currently disabled state. This might be applicable if an identity gets terminated and their accounts need to be disabled from further use.

NOTES:

    • Selecting one or both of these Account Configuration Options makes the corresponding Source Accounts to Enable/Disable panels available where you can further fine tune your lifecycle states on a per-source basis.
    • These settings affect only the status of the user's accounts. With deprovisioning, any access profiles that were granted to a user in a previous lifecycle state are always automatically revoked when the user moves to the new lifecycle state. Entitlements assigned to those accounts are determined exclusively by the access profiles in the Access Profiles to Apply panel.
    • If you add a new source, you will also have to explicitly add the desired Enable/Disable actions for any lifecycle state changes.

3. Enable or disable specific source accounts

In the Source Accounts to Enable/Disable panels you can select, add, and remove specific sources in your organization as follows:

a. In the Available sources field, search or click V to see a list of available sources that support Enable/Disable account actions.

b. Select a source, and click +Add to add it or X to remove it.

NOTES:

  • If a source is not explicitly selected, then this assumes that no action is taken for the source when a user enters the lifecycle state.
  • If all sources are removed from the Source Accounts to Enable/Disable panels, then the checkbox selection of the corresponding Enable/Disable Accounts option will be removed.
  • Due to browser limitations, administrators can configure Enable or Disable actions on a combined total of 40 sources in the UI. You can use IdentityNow REST APIs to configure more than 40 sources if needed, however these will only be manageable via API. For assistance, contact Expert Services.
  • If you wish to return to using the UI after configuring more than 40 sources in the API, you must do one of the following to reduce the number of sources with configured actions to less than 40:
    • Use the API to reduce the number of sources.
    • Select Maintain Status and click Save to remove all sources from the Enable/Disable lists for that lifecycle state.

4. Add one or more access profiles to the Access Profiles to Grant panel by searching for applicable access profiles in Add Access Profile.

NOTES:

  • This list only contains access profiles associated with sources that have the Provisioning flag enabled in the source's Config tab.
  • You can either type all or part of an access profile name to search for a specific access profile. You can also click in the field to see all access profiles in IdentityNow.
  • Best Practice: Only assign an access profile to either a lifecycle state or a role. Assigning the same access profile to both can cause problems with provisioning.

CAUTION: With deprovisioning, only access profiles specified here are granted to users in this lifecycle state.Therefore, if you want to maintain any entitlements across multiple lifecycle states, you'll need to grant them in each. For example, if you grant someone building access in the Active state and you want them to maintain building access while they are in On Leave, you'll need to include that access in both Active and On Leave.

lcs ap.png

5. Under Email Notification List, optionally select any or all of the following:

  • Manager - The user's manager receives an email notifying them of the identity's lifecycle state change.
  • All Admins - Every user in your IdentityNow site with administrator permissions receives the notification email.
  • Specific Users - The system sends notifications to the specific email addresses you list.

NOTE: You can add more fields for email addresses by clicking Add and remove email addresses by clicking the ​X icon next to the field.

Configure email notifications if you want to notify anyone when an employees' state changes. For example, a user's manager might need to know when they become active within your IdentityNow system.

lcs4.png

NOTE: This email is fully customizable. Click here for the default email template.

Best Practice: Test lifecycle states in your sandbox environment before enabling them in production.

lcs3.png

If you want users to be moved to lifecycle states automatically, open a support ticket to configure a transform so that users who meet the criteria in the transform can be moved into this Lifecycle state.

6. Enable the lifecycle state and click Save.

 

Moving a User Into a Lifecycle State

You can move users into lifecycle states automatically or manually.

Automatically

You can configure your implementation of IdentityNow to recognize certain attributes within your source and use them to determine the lifecycle state. When those attributes are updated during an aggregation, the user's lifecycle state changes automatically.

You can see an identity's lifecycle state on their identity page. These might include the following:

  • <lifecycle state> (Automatic) - This occurs when an identity's lifecycle state is set automatically either when imported from the source system or when a triggering event causes it to change. For example, if the person is in the Pre-Hire state, on their start date they might be automatically moved into the Active state.

  • Lifecycle State Not Set (Automatic) - This occurs if there is no value assigned to the Lifecycle State attribute when the identity is added to the system. This might also occur if the Lifecycle State attribute on the identity profile is not mapped to an attribute or transform.

  • Lifecycle State Not Valid (Automatic) - This occurs if the value from the source system does not match one of the lifecycle states defined in IdentityNow.

  • Lifecycle State Does Not Match Technical Name Case (Automatic) - This occurs if the value from the source system matches the technical name of the lifecycle state except for the case. The technical name is always lower case, so if there is a mismatch (e.g., the lifecycle state in IdentityNow is "active" and the value in AD is "Active"), it would result in this message. 

You can open a support ticket to configure transforms for these attributes if you need to use more than one attribute to calculate a lifecycle state.

Manually

You might want to manually change a user's lifecycle state if they have changed positions or left the company and your authoritative source has not yet been updated. Changing a user's lifecycle state manually will keep the user in that state until the source changes, even if you run an aggregation.

When a user's lifecycle state changes because of an aggregation or change in source data, the method on their Overview sets to Automatic. If a user's lifecycle state changes because an admin manually selects it, the method changes to Manual.

CAUTION: The manual setting is applicable as long as the underlying value on the source doesn't change. As soon as the value on the source changes, the Lifecycle State field gets reset to an automatic value. For example, if Joe Smith is set to Active (Automatic), you can manually change him to Inactive (Manual). If the source value changes from Active to On Leave, the value in IdentityNow will change to On Leave (Automatic).

Complete the following steps:

1. In the Admin interface, go to Identities > Identity List.

2. Click the identity you want to edit.

3. Under Overview, click the Actions icon next to the Lifecycle State.

4. Click the lifecycle state you are moving the user to.

NOTE: The Action icon is disabled while IdentityNow processes your change. This could take some time to process. While you're waiting, you can perform other identity governance tasks, although you should avoid making changes to the identity that are dependent on a specific lifecycle state.

The lifecycle state changes to match what you selected and the method changes to Manual.

select lifecycle state manual.png

 

Inviting Users to IdentityNow After a Lifecycle State Change

You can configure IdentityNow to automatically send invitations to a user when they enter any lifecycle state.

For example, if you have a Pre-Hire lifecycle state used for preparing a user's accounts before their start date, when the user moves into the Active lifecycle state on their start date, the system can automatically send the invitation based on your selections.

Complete the following steps:

1. In the Admin interface, go to Identities > Identity Profiles.

2. Click the identity profile you want to edit.

3. Under Invitation Options, select one of the automatic invitation options.

4. Under Send at Lifecycle State, select a lifecycle state.

NOTE: Only lifecycle states that have been enabled are displayed. If no lifecycle state has been enabled, this field is hidden.

send at lifecycle state.png

5. Click Save.

Whenever any of your users enter that lifecycle state, an invitation is sent to that user at the email address or addresses you selected within about an hour, depending on the number of jobs in the queue.

 

Troubleshooting

 

I can't select the access profile I want for the lifecycle state I'm configuring.

When you configure a lifecycle state on an identity profile, you can select access profiles to apply to identities when they enter that state.

If you see an access profile in the list that is disabled and labeled with the message "Source provisioning not enabled" you cannot apply it to the lifecycle state.

This is because Provisioning check box on the underlying source has not been selected.

access profile not available.png

To resolve this, you can go to the related source's Config tab and select Provisioning in the Used For panel.

 

Changing the lifecycle state on an identity didn't trigger the provisioning action I wanted.

An identity can move from one identity profile to another. If this occurs, the provisioning actions are determined by the new identity profile.

For example, your highest priority identity profile might be an Active Directory authoritative source and a lower priority flat file source.

In the flat file source, if you change an identity's lifecycle state in a way that causes an Active Directory account to be provisioned for them, the identity will move from the flat file identity profile to the Active Directory identity profile.

This means that any changes you make to that person's lifecycle state in the flat file will no longer have any impact on provisioning for them. Only changes that occur to the Active Directory lifecycle state attribute will impact the identity going forward.

Labels (2)
Version history
Revision #:
11 of 11
Last update:
yesterday
Updated by: