Identity state

The identity life cycle is controlled by an identity's state. The state is changed automatically by system - when an identity is created, a default contract to the identity is added.

Identity states:

• created - identity is enabled. The state is assigned to a newly created identity.
• no contract - identity is disabled. Identity doesn't have a contract. All contracts were deleted.
• future contract - identity is disabled. Identity has a valid contract in the future, but not now.
• valid - identity is enabled. Identity has a valid contract.
• left - identity is disabled. Identity has invalid contracts only.
• excluded (~disabled) - identity is excluded (disabled). Identity contracts are excluded (assigned roles are not removed when identity is excluded). This is usually used when the user has parental leave.
• disabled manually - identity is disabled manually, e.g. by administrator/synchronization. Manually disabled identity can be enabled again only manually (assigned roles are not removed, when identity is disabled manually).

When identity becomes valid (i. e., at least one of their contracts becomes valid) and the identity has an account on at least one target system, then the new password is generated and changed on all identity's accounts ⇒ identity will have the same password in all accounts. Notification (see acc:newPasswordAllSystems template) is sent to identity about which of their accounts were changed.