The process of identity lifecycle (ILP), in other words HR process, manages the user identity in CzechIdM during its existence based on the changes of its contracted positions. For example, there is a process "End of contract" that watches the beginning and the end of user's contracted position. If the contracted position ends, the process removes all user roles from it.
This article assumes that the identity already exists in CzechIdM, whether created manually or synchronized from a system, and focuses only on actual HR processes, i. e., contract changes.
The following text describes the core set of HR processes managed by CzechIdM. All processes are managed based on the contract's attributes. These are the attributes that the processes watch for a change:
Valid from and valid till attributes defines contracted position validity, i.e. The contracted position is valid if and only if the current date is between or equal to valid from and valid till. We use the term contracted position's validity in following text.
If you want to use ILPs, you must synchronize contracted positions from a source system with attributes mentioned above or manage them manually.
Upon creation, the identity is in the state Created. It can be enabled only if the current date is between the contract's attributes 'Valid from' and 'Valid till'. If 'Valid from' and 'Valid till' are not specified, the contract is automatically considered valid. If 'Valid till' is not specified but 'Valid from' is in the past the contract is considered valid as well. If 'Valid from' is in the future, the contract is invalid but once the date specified in 'Valid from' comes, the state changes to valid.
The process is a stateful task, therefore, the contracted position is processed only once and then when it is set invalid again.
If the 'Valid till' comes, the contract becomes invalid. This means that all assigned role of the contract are removed. If this was the last contract of the identity, the identity's state changes to 'Left'.
The process is a stateful task, therefore, the contracted position is processed only once and then when it is set valid again.
Contract exclusion is a process used when the contract is temporarily "stopped", i. e., the user will not be at work for some time. Typically, this is used to represent parental leave. When a contract becomes excluded, the state changes to 'inactive'. No roles are removed from the contract but identity's state will be provisioned to connected systems (if the systems support disabling users and it is configured in IdM).
Once the contract stops being excluded (e. g., the parental leave ends), the identity's state will change to active again and this change will be provisioned to connected systems, i. e., all accounts will be activated again.
The process is a stateful task, therefore, the contract is processed only once and then when it is enabled again. End of contracted position exclusion is managed by the Enable contract process.
In fact this is not full-blooded identity lifecycle process, because it is not managed by any special long running task, workflow or by other means. It just uses standard CzechIdM feature - automatic roles. But since those processes are often understood as HR process from the business point of view, we describe them here.
If the contract is not valid yet, all automatic roles are assigned anyway, but each role's assignment validity date (do not mistake it with role validity) is tied to the contract's validity. In other words, the effect of the role (e.g. the account creation in a managed system) is done the same day the contracted position begins, not sooner. If the contract's work position changes, the automatically assigned role are removed (unless they are also set for the new work position) and the roles defined for the new work position are assigned.