Identity life cycle (ILC)
It is a contract that defines the link between an identity and a tree structure. Also, a contract plays a significant part in assigning a role to an identity. Every identity has at least one contract, as a (manually assigned or automatic) role is always assigned to a contract, not directly to an identity.
Default settings
- a default contract is established automatically once an identity has been created
- provided a default element of the organizational structure is pre-configured, an identity is placed in this position within the structure when creating a default contract
- if there is no selected default element of the structure, the identity is "placed" in a position titled "Default" WITHOUT being included in the organizational structure.
Search managers by CR
Managers can be looked up through:
- tree structures - identity with a on the tree node above.
- a direct contract manager - supervisors.
HR processes: End of contracts, and invalid contracts
HR processes depend on the state of a contract and its validity.
Prime contract position
A contract can be flagged as "main". There can be more than one contract flagged as main, or none at all.
States of a contract
Contracts can be:
- valid
- valid but
EXCLUDED
, provided thevalidFrom
andvalidTill
attributes are filled. Roles assigned to this contract are not removed - accounts on target systems remain intact. Roles assigned to this contract are not added to a logged identity - invalid or with the
DISABLED
attribute - in a "null" state, if no values are entered in the
validFrom
andvalidTill
attributes
TERMINATION
- When a contract is terminated or invalidated, all the roles coupled with this contract will cease to exist as well.
- Once terminated, all assigned roles for a given contract are removed.
INVALID CONTRACTS
- When a contract is invalid, all assigned roles for this contract – be they automatic or manually assigned – are removed. No roles can be assigned to an invalid contract.
- For a periodic review of invalid contracts, the
IdentityContractExpirationTaskExecutor
task can be used and scheduled. - Once a contract becomes valid again, then all automatic roles are assigned again.
DISABLED IDENTITY AND REACTIVATION
- When an identity’s last contract is removed or all contracts are invalid or excluded, then the identity is disabled. Once the contract becomes valid once again or a new valid contract is added, the identity is activated again.
CONTRACTS WITH TIME SLICES
- Note that contracts cannot be modified or removed when they contain some time slices (i. e., are controlled by slices). Only when the last slice of the contract is deleted, can the contract be deleted, too. See more on time slices here.
These HR automatic processes can be executed in two ways:
- the process is executed as soon as an identity’s contract is changed (active operation)
- long running tasks are scheduled, mainly over night. So while the contract change is saved during the synchronization from a source system, the respective HR processes are executed separately afterwards
Other contractual positions
Other contractual positions which can be set are used just for the assignment of automatic roles by the tree structure.
Note: the filtering and evaluating of managers and subordinates through other contractual positions is not supported.
Roles, organizations, and contracts
Linking a role to the organizational structure
Everyone authorized to edit a role can assign the role to a component of any organizational structure. Such an action, of assigning/removing a role to a structural component, is subject to the same approval as when an ordinary user is to be assigned a role. Once the approval is granted, this amounts to a sort of "pre-approval" for all the users incorporated within the organizational structure. From then on, assigning a role to a user does not require a special approval (it had been approved for the entire organizational unit in which a user is situated).
Displaying information about automatically assigned roles
The information about the roles linked to the organizational structure are displayed in these sections:
- In the structure component detail, there is a list of roles which have been assigned to it
- For every role, a list of structural components (the whole path in the tree), for which the role is automatically assigned to users, is displayed.
- For every user, there is a list of assigned roles that they have been granted automatically.
Audit
All changes regarding roles coupled with organizational structures are audited. The log provides this information:
- changes in roles, new automatic rules
- references to the process through which changes had occurred: synchronization or via the web