10.7:documentation:hr_processes

HR Processes

The process of identity lifecycle (ILP), in other words HR process, manages the user identity in CzechIdM during its existence based on the changes of its contracted positions. For example, there is a process "End of contract" that watches the beginning and the end of user's contracted position. If the contracted position ends, the process removes all user roles from it.

This article assumes that the identity already exists in CzechIdM, whether created manually or synchronized from a system, and focuses only on actual HR processes, i. e., contract changes.

The following text describes the core set of HR processes managed by CzechIdM. All processes are managed based on the contract's attributes. These are the attributes that the processes watch for a change:

  • Valid from
  • Valid till
  • Enabled
  • Work position

Valid from and valid till attributes defines contracted position validity, i.e. The contracted position is valid if and only if the current date is between or equal to valid from and valid till. We use the term contracted position's validity in following text.

If you want to use ILPs, you must synchronize contracted positions from a source system with attributes mentioned above or manage them manually.

Since the version 7.6 has been released, the following processes are managed by events, i. e., immediately after the Watched attribute is changed, the Effect take place. For example, when the administrator changes the employee's last Contract end date to past, the employee's roles are removed and the identity is blocked. There is no need to wait for the Scheduled task to run. Scheduled tasks are still available though to be used for processing large amount of data (e. g., after synchronization).
  • Watched entity: contracted position,
  • Watched attributes: valid from, valid till, enabled,
  • Process trigger: The identity's contracted position becomes valid and enabled,
  • Effect: the identity that belong to the changed contracted position is enabled.

Upon creation, the identity is in the state Created. It can be enabled only if the current date is between the contract's attributes 'Valid from' and 'Valid till'. If 'Valid from' and 'Valid till' are not specified, the contract is automatically considered valid. If 'Valid till' is not specified but 'Valid from' is in the past the contract is considered valid as well. If 'Valid from' is in the future, the contract is invalid but once the date specified in 'Valid from' comes, the state changes to valid.

The process is a stateful task, therefore, the contracted position is processed only once and then when it is set invalid again.

  • Watched entity: contracted position,
  • Watched attributes: valid from, valid till,
  • Process trigger: The identity's contracted position becomes invalid,
  • Effect: All assigned roles are removed from the ended contract. Additionally, if the ended contract was the last valid contract of the identity, the identity itself is disabled.

If the 'Valid till' comes, the contract becomes invalid. This means that all assigned role of the contract are removed. If this was the last contract of the identity, the identity's state changes to 'Left'.

The process is a stateful task, therefore, the contracted position is processed only once and then when it is set valid again.

  • Watched entity: contracted position,
  • Watched attributes: valid from, valid till, enabled
  • Process trigger: The identity's contracted position becomes valid and not enabled
  • Effect: If the processed contract was the last valid contracted position of the identity, the whole identity is disabled. No roles are removed by the process.

Contract exclusion is a process used when the contract is temporarily "stopped", i. e., the user will not be at work for some time. Typically, this is used to represent parental leave. When a contract becomes excluded, the state changes to 'inactive'. No roles are removed from the contract but identity's state will be provisioned to connected systems (if the systems support disabling users and it is configured in IdM).

Once the contract stops being excluded (e. g., the parental leave ends), the identity's state will change to active again and this change will be provisioned to connected systems, i. e., all accounts will be activated again.

The process is a stateful task, therefore, the contract is processed only once and then when it is enabled again. End of contracted position exclusion is managed by the Enable contract process.

In fact this is not full-blooded identity lifecycle process, because it is not managed by any special long running task, workflow or by other means. It just uses standard CzechIdM feature - automatic roles. But since those processes are often understood as HR process from the business point of view, we describe them here.

  • Watched entity: contracted position,
  • Watched attributes: work position
  • Process trigger: The identity's contracted position is placed into/removed from organization structure (Tree structure).
  • Effect: Automatic roles defined on the Tree structure are assigned in case of placing the contracted position there or removed in case of removing the contracted position from the structure. Automatic roles are not passed for role a assignment approval, they are assigned immediately.

If the contract is not valid yet, all automatic roles are assigned anyway, but each role's assignment validity date (do not mistake it with role validity) is tied to the contract's validity. In other words, the effect of the role (e.g. the account creation in a managed system) is done the same day the contracted position begins, not sooner. If the contract's work position changes, the automatically assigned role are removed (unless they are also set for the new work position) and the roles defined for the new work position are assigned.