HR Processes
The process of identity lifecycle (ILP), in other words HR process, manages the user identity in CzechIdM over the course of its existence, watching the changes on its contracted positions. For example, there is a process "End of contract" that keeps an eye on the beginning and end of the user contracted position. If the contracted position ends, the process removes all user roles from it.
Standard ILPs
The following text describes the core set of HR processes solved by CzechIdM. All processes are managed based on the contracted position attributes. The processes watch the following attributes for any changes:
- Valid from
- Valid to
- Enabled
- Position
The Valid from and valid to attributes determine the contracted position validity, i.e. the contracted position is valid if and only if the current date is between or equals valid from and valid to. We use the term contracted position validity all throughout this text.
If you want to use ILPs, you must synchronize the contracted positions from a source system with the above mentioned attributes, or manage them manually.
Enabled contracts
- Watched entity: contracted position,
- Watched attributes: valid from, valid to, enabled,
- Process trigger: The identity's contracted position becomes valid and enabled,
- Effect: identity that belongs to the changed contracted position is enabled.
The process is a stateful task, therefore the contracted position is processed only once until it is set not valid, once again.
End of contract
- Watched entity: contracted position,
- Watched attributes: valid from, valid to,
- Process trigger: The identity's contracted position becomes not valid,
- Effect: All manually added roles are removed from an ended contract. Additionally, if the ended contract was the last valid contract of the identity, the identity itself is disabled.
The process is a stateful task, therefore the contracted position is processed only once until it is set valid again.
Contract exclusion
- Watched entity: contracted position,
- Watched attributes: valid from, valid to, enabled
- Process trigger: The identity's contracted position becomes valid and not enabled
- Effect: If the processed contract was the last valid contracted position of the identity, the whole identity is disabled. No roles are removed by the process.
The process is a stateful task, therefore the contract is processed only once until it is enabled again. The end of the contracted position exclusion is managed by the Enabled contract process.
Work position assignment/change/removal
In fact, this is not a full-flegded identity lifecycle process, because it is not managed by any special long running task, workflow, or other means. It just uses a standard CzechIdM feature: automatic roles. But since those processes often look at the HR process from the business point of view, we describe them here.
- Watched entity: contracted position,
- Watched attributes: position
- Process trigger: The identity's contracted position is placed into/removed from an organization structure (Tree structure).
- Effect: Automatic roles linked to the Tree structure are assigned once the contracted position is placed there or removed from it when the contracted position is removed from the structure. Automatic roles do not go through a role assignment approval process, they are assigned instantly.
Even if a contract is not valid yet, all automatic roles are assigned anyway, but each role's assignment validity date (do not mistaken it with the role validity) is tied to the contracts validity. In other words, the effect of the role, e.g. the account creation on a managed system is done the same day, and the contracted position cannot begin prior to that.