Identity Lifecycle Inbox Configuration and Processing

Identity Lifecycle Onboarding Process Flow

The onboarding phase of the identity lifecycle within EmpowerID follows a structured, step-by-step process designed to seamlessly integrate accounts from authoritative systems into managed identities. This process consists of several critical stages:

Identity Onboarding Process Diagram

Inventory Accounts from Authoritative Systems and Populate the Account Table

EmpowerID initiates the onboarding process by inventorying accounts from authoritative sources, typically HR databases or similar structured sources of personnel data. These accounts are imported directly into EmpowerID’s account table, creating an authoritative repository for further processing.

Account Inbox Processor Joins Accounts and Creates New Person Identities

The Account Inbox Processor continuously evaluates newly inventoried accounts against existing identities. It operates based on configurable join and provisioning rules to determine appropriate actions:

Joining Existing Identities: The processor evaluates accounts based on anchor attributes such as employee IDs or email addresses. If a match is identified, the account is joined to the existing identity.
Creating New Person Identities: If no suitable match exists, the processor creates a new managed person identity, establishing a unique and distinct identity record within EmpowerID.

Attribute Flow Synchronizes Attribute Values

Following the establishment of identity associations, attribute synchronization occurs. This process ensures that attribute values from authoritative systems accurately and consistently flow into corresponding EmpowerID person identity records. Attribute synchronization maintains data integrity, consistency, and supports ongoing identity governance.

External Roles and Locations are Created and Associated with the Accounts

Based on account attributes such as job titles, divisions, and departments, EmpowerID dynamically creates external organizational roles and locations. These roles and locations are directly associated with the respective accounts through the creation of "Account External Org Role Org Zone" records, clearly identifying the external organizational context of each account.

Role and Location Compiler and Processor Assigns Business Roles and Locations

The Role and Location Compiler evaluates external role and location assignments to propose corresponding internal EmpowerID business role and location assignments. Proposed assignments are populated into an inbox queue for processing.

Subsequently, the Role and Location Processor executes the queued assignments, systematically updating each identity with the correct internal business role and location based on external mappings. This ensures identities have the correct organizational context and access rights immediately following onboarding.

Through these structured onboarding process steps, EmpowerID ensures seamless, accurate, and efficient integration of identities into organizational structures, significantly enhancing the operational efficiency and security of identity management.

Account Inbox Processing

Account Inbox Processing is a fundamental operation within EmpowerID that manages the initial stages of account handling. This process ensures that new accounts are properly evaluated and managed according to organizational rules and policies.

Account Inbox Permanent Workflow

Process Account Inbox Permanent Workflow

The Account Inbox Permanent Workflow is a continuously running workflow designed to automatically manage newly inventoried accounts. It monitors incoming accounts, systematically applying configured logic to determine how these accounts should be managed. This workflow operates transparently, providing constant governance and responsiveness to identity data.

Identity Lifecycle Settings Configuration

Identity lifecycle settings in EmpowerID provide comprehensive control over how the Account Inbox Processor manages incoming accounts. These detailed configurations ensure each account is correctly identified, matched, and integrated into the organization's identity ecosystem, significantly reducing administrative burden and enhancing operational efficiency.

Join and Provision Filter

The Join and Provision Filter serves as an initial gatekeeper, determining which accounts are eligible for processing by the Account Inbox Processor. This filter is configured to evaluate specific account attributes, including account status (active, disabled, or deleted), account type, and completeness of essential identity details, such as first name, last name, and key identifiers like employee ID or email addresses.

Administrators can define custom criteria within this filter, refining the scope of processed accounts to only those meeting organizational standards. This capability ensures unnecessary or incomplete accounts do not proceed further into processing, optimizing resource use and system performance.

Join Rules

Identity Lifecycle Settings - Join Rules

Join Rules provide precise logic that defines how EmpowerID matches incoming accounts to existing identities. EmpowerID's flexibility allows administrators to select from pre-defined matching conditions or create custom rules tailored to organizational requirements.

Typical default join rules include:

Employee ID and Name Match: Matches accounts based on the combination of employee ID, first name, and last name.
Email Address and Name Match: Evaluates the match based on email, first name, and last name.
Birthdate and Name Match: Utilizes birthdate alongside first and last names to establish matches.

Custom join rules may also incorporate combinations of other attributes, custom identifiers, or even custom SQL queries, providing extensive flexibility to accommodate unique matching needs. This robust configurability ensures high accuracy in matching accounts to correct existing identities, effectively reducing errors and duplicate identities.

Provision Rules

Identity Lifecycle Settings - Provision Rules

Provision Rules govern the creation of new identities from accounts that do not match existing identities. Administrators have granular control over these rules, specifying exact conditions under which new identities are provisioned.

By default, EmpowerID’s provisioning logic permits identity creation when no suitable existing identity match is found, provided the account source is designated as a provisioning source. Administrators may further define provisioning logic to include:

Conditional Provisioning: Creating new identities only when certain account attribute conditions are met.
Exclusionary Provisioning: Specifically excluding certain account types or statuses from being provisioned.
Custom SQL Provisioning Logic: Utilizing customized SQL logic to handle complex provisioning scenarios.

This precise configurability ensures that new identities are only provisioned under appropriate circumstances, maintaining the integrity and accuracy of the identity lifecycle.

Through meticulous configuration of these lifecycle settings, EmpowerID administrators maintain comprehensive oversight and fine-grained control, ensuring accurate, efficient, and reliable account and identity management throughout the organization's identity lifecycle processes.

Core Identity Inbox Settings

Identity Lifecycle Settings - Core Identity Rules

Core identity configurations determine how person objects join existing core identities. Default rules join by first and last names, though additional anchor attributes (like employee ID or birthdate) can be defined for greater precision. The Core Identity Permanent Workflow must be active to create and manage Core Identities.

Lever and Rehire Settings

EmpowerID leverages query-based collections to automate the offboarding (lever) and rehiring processes. For each type of leaver process listed below, The Submit Person Terminations Permanent Workflow evaluates the query based collections and creates no-code flow events for people who fall within the result set of the Query Based Collections. The No-code flow process then picks up the events and processes the various leaver tasks.

Pre-Leaver Settings

Identity Lifecycle Settings - Pre-Leaver Configuration

These settings identify users approaching termination, allowing timely notifications and actions such as notifying managers or disabling access before the termination date. Check the box for "Use flow events for pre-leaver notification Process" for EmpowerID to submit the flow event for the preleaver identities.

Planned Lever Settings

Identity Lifecycle Settings - Planned-Leaver Configuration

Define criteria to identify terminated users clearly. Once identified, EmpowerID triggers termination events that activate relevant no-code flows to manage access revocation and cleanup processes. Check the box for "Use flow events for leaver Process" for EmpowerID to submit the flow event for the Leaver identities.

Reactivation (Rollback Lever) Settings

Identity Lifecycle Settings - Reactivation Configuration

These settings manage accidental terminations or quick reactivations, using defined criteria to detect and handle such scenarios seamlessly, avoiding unnecessary full termination processes. Check the box for "Use flow events for Reactivation" for EmpowerID to submit the flow event for the Reactivation identities.

Rehire Settings

Identity Lifecycle Settings - Rehire Configuration

EmpowerID provides processes to effectively handle users rehired after termination, restoring previous identities, reactivating disabled accounts, and reassigning relevant roles and access seamlessly. Check the box for "Use flow events for Rehire Processes" for EmpowerID to submit the flow event for the Rehire identities.

Account Inbox Monitoring

Identity Lifecycle Settings - Account Inbox

EmpowerID's Account Inbox provides administrators visibility into the processing of accounts as they are inventoried from authoritative systems. Through this page, administrators gain real-time insights into account statuses, tracking accounts as they transition from initial inventory through the Join and provision process. The inbox indicates whether accounts have been successfully joined to existing identities, provisioned as new identities, or if they have been excluded from processing based on configured filters and rules.

Administrators can effectively troubleshoot and resolve processing issues by reviewing detailed account records, processing outcomes, and associated identity information directly within the Account Inbox interface. This capability significantly enhances the efficiency and accuracy of identity lifecycle management, enabling prompt action on exceptions and ensuring adherence to organizational identity governance policies.

Identity Lifecycle Onboarding Process Flow​

Inventory Accounts from Authoritative Systems and Populate the Account Table​

Account Inbox Processor Joins Accounts and Creates New Person Identities​

Attribute Flow Synchronizes Attribute Values​

External Roles and Locations are Created and Associated with the Accounts​

Role and Location Compiler and Processor Assigns Business Roles and Locations​

Account Inbox Processing​

Account Inbox Permanent Workflow​

Identity Lifecycle Settings Configuration​

Join and Provision Filter​

Join Rules​

Provision Rules​

Core Identity Inbox Settings​

Lever and Rehire Settings​

Pre-Leaver Settings​

Planned Lever Settings​

Reactivation (Rollback Lever) Settings​

Rehire Settings​

Account Inbox Monitoring​