Setting Up Lifecycle States
Lifecycle states describe a user's status in a company. Creating and configuring custom lifecycle states for your org is key to qualifying exactly who has access, when they have access, and what they have access to.
Configure lifecycle states to update automatically or manually. Many sources, such as Active Directory, support automatic account and entitlement provisioning in IdentityNow and connect directly to IdentityNow.
Other sources are not directly connected to IdentityNow and require the source owner set up manual changes for provisioning. These sources create flat files. The sources also create tasks in the source owner's IdentityNow Task Manager. For information on using the Task Manager to review provisioning tasks and other tasks, see Using the Task Manager.
Planning New Lifecycle States
Think about the different types of users on your company system. Consider the types of internal company sites and apps they might need to access. Also consider how and why users' access needs could change.
Apply your ideas to building a lifecycle state plan:
- Create a list of lifecycle states for your org. IdentityNow has active and inactive lifecycle states out of the box. Create custom lifecycle states as well, such as:
- Contractor
- Pre-hire
- New hire
- Employee
- Leave of absence
- Retired
- Former employee
- Define the criteria for being in each lifecycle state.
- Define how IdentityNow should manage users' access to apps and sources for each lifecycle state.
Configuring New Lifecycle States
To configure a lifecycle state:
-
Go to Admin > Identities > Identity Profile.
-
Select the identity profile to add a new lifecycle.
-
Select the Provisioning tab.
-
Select the Add option at the bottom of the panel on the left said of the page. The panel contains the default Active and Inactive lifecycle states.
-
Enter a name for the new lifecycle state in the Add New Lifecycle State dialog's Name field. The name can contain only letters and numbers. As you type the lifecycle state name in the Name field, the technical name appears below in the Technical Name field.
- The technical name is not case sensitive and is used in scripts related to system behavior.
- This name is also the required value in flat file sources when the user moves into this state.
-
Select OK. The new lifecycle state appears in the alphabetically ordered list on the left. The number of identities in each lifecycle state appears to the right of the lifecycle name.
Configuring Access Changes in Lifecycle States
Change identities' access in a lifecycle state by updating source accounts and adding access profiles to an identity profile.
Note
When an identity has been in the same lifecycle state for a while and one of its enabled accounts goes into a disabled state, IdentityNow does not normally try to enable the account again. However, when an identity that has been in the same lifecycle state for a while loses access granted by an access profile assigned to the lifecycle state, IdentityNow does provision that access again.
To make access changes to lifecycle states:
- Go to Admin > Identities > Identity Profile.
- Select an identity profile assigned the lifecycle state.
- Select the Provisioning tab.
- Select the lifecycle state from the left panel.
- Disable the lifecycle state.
- Select one or more of the following options:
- Configure Changes - This option is located under Previous Accounts. Configure Changes lets you choose which source accounts are enabled or disabled for this identity. The Enable/Disable panel enables you to fine tune your lifecycle states on a per-source basis, as follows:
- Enable Accounts - Select source accounts to enable.
- Disable Accounts - Enter sources to disable. These settings affect only the status of the identity's accounts.
- Add Existing Access Profile - This option is located near the bottom of the page. Choosing access profiles from the Add Existing Access Profile list automatically gives the identity an account on that source. See More Information on Adding Access Profiles below for details on what happens when you add an existing access profile to a lifecycle state.
Add access profiles in one or both of the following ways:
- Select the magnifying glass icon to search for one or more access profiles to add to the identity profile.
- Select New to create a new access profile. Review Configuring Access Profiles for information on setting up new access profiles. Selected access profiles display in the Access Profiles to Grant table.
- Configure Changes - This option is located under Previous Accounts. Configure Changes lets you choose which source accounts are enabled or disabled for this identity. The Enable/Disable panel enables you to fine tune your lifecycle states on a per-source basis, as follows:
More Information on Adding Access Profiles
Only access profiles specified in the Access Profiles to Grant panel are granted to identities in the current lifecycle state. To maintain access across multiple lifecycle states, you must grant the access in each lifecycle state. For example, if you grant someone building access in the Active state and you want them to maintain building access while they are in the On Leave state, you'll need to include that access in both the Active and On Leave states.
Access profiles granted in a previous lifecycle state are automatically revoked when the identity moves to the new lifecycle state. Access assigned to those accounts are determined exclusively by the access profiles in the Access Profiles to Grant table.
During a scheduled refresh, IdentityNow evaluates lifecycle states to determine if their assigned identities have the access defined in the lifecycle states’ access profiles. If the identities are missing source access defined in their lifecycle state's access profile, IdentityNow provisions access to those sources.
For example, if the Active lifecycle state includes an access profile with Active Directory groups, IdentityNow checks the Active lifecycle state identities to confirm they have the Active Directory entitlements from the access profile. If the identities are missing Active Directory access, IdentityNow provisions the access to Active Directory.
If an identity has more than one account on a source, you might need to make configurations to individual access profiles to determine which account receives those access profiles after a lifecycle state change.
Handling Large Numbers of Sources
Administrators can configure Enable or Disable actions on a combined total of 40 sources in the User Interface (UI). Browser limitations restrict configuring more than 40 sources. To configure more than 40 sources, use IdentityNow REST APIs. Be aware that sources configured using APIs must be managed using APIs. For assistance, contact your CSM.
To return to using the UI after configuring more than 40 sources in the API, do one of the following to reduce the number of sources with configured actions to less than 40:
- Use the API to reduce the number of sources.
- Select Maintain Status and select Save to remove all sources from the Enable/Disable lists for that lifecycle state.
Configuring Lifecycle State Notifications
Configure email notifications to notify someone when an identity's lifecycle state changes. For example, a user's manager might need to know when they become active within your IdentityNow system.
To select the users to receive email notification when an identity's lifecycle state changes:
- Go to Admin > Identities > Identity Profile.
- Select the Provisioning tab.
- Select the lifecycle state from the left panel.
- Scroll to the bottom of the page.
- In the Email Notification List panel, select any or all of the following:
- Manager - The user's manager receives an email notification.
- All Admins - All org admins receive an email notification.
- Specific Users - The system sends email notifications to the specific email addresses you list. Add more email addresses by selecting Add. Remove email addresses by selecting the X icon next to the field.
Email notifications are fully customizable. See Using Email Templates for general information on email templates and instructions for editing them. See Lifecycle State Change Email Template for detailed template-specific information.
Moving Identities into Lifecycle States
Changing an identity’s lifecycle state changes their access. The move into a lifecycle state can occur automatically or manually.
You can see an identity's lifecycle state status on their identity page, at Overview > Lifecycle State. The lifecycle state's status has one of the following statuses.
Lifecycle State Status | Description |
---|---|
Lifecycle State Active | An identity's lifecycle state is set automatically when imported from the source system or when an event causes the lifecycle to change. For example, on a new user's start date, the user's pre-hire state automatically changes to an active state. |
Lifecycle State Not Set | If no value is assigned to the lifecycle state attribute when the identity is added to the system, IdentityNow does not set a lifecycle state. Additionally, no lifecycle state is set when the lifecycle state attribute on the identity profile is not mapped to a source attribute or transform. |
Lifecycle State Not Valid | This status occurs when the lifecycle value from the source system does not match one of the lifecycle states defined in IdentityNow. |
Lifecycle State Does Not Match Technical Name Case | This status occurs when the value from the source system matches the technical name of the lifecycle state, but the source system value's name uses one or more uppercase letters. The technical name is always lower case. So when a case mismatch occurs, such as when the lifecycle state in IdentityNow is active and the value in the Active Directory source is Active, this is the lifecycle state that results. |
Configuring Automatically Applied Lifecycle States
Configure IdentityNow to recognize certain source attributes and use them to determine an identity's lifecycle state. When those attributes are updated during an aggregation, the identity's lifecycle state changes automatically.
- In the identity profile to be edited, select the Mappings tab.
- Scroll down to the panel named Lifecycle State (cloudLifecycleState).
-
Choose a source for the identity and a source attribute to use for the identity profile.
- Ensure that the source the lifecycle state attribute pulls from has some attributes that correspond to the technical names of the IdentityNow lifecycle states.
-
Configure a transform for this attribute if you need any type of data normalization.
or
-
Contact SailPoint Services to configure a custom rule to calculate what each identity’s lifecycle state should be, based on multiple source attributes.
-
Preview your mapping before finalization.
- Select Apply Changes. The system processes the identity data in the profile so its identity details reflect the new mapping for lifecycle state.
Configuring Manually Applied Lifecycle States
You might want to manually change a user's lifecycle state if their status in the company has changed and your authoritative source has not yet been updated. Changing a user's lifecycle state manually keeps the user in that state until the source changes, even if you run an aggregation.
When a user's lifecycle state changes because of an aggregation or change in source data, the change method on their Overview sets to Automatic. If a user's lifecycle state changes because an admin manually selects it, the method changes to Manual.
Caution
The manual setting is applicable as long as the underlying value on the source doesn't change. When the value on the source changes, the Lifecycle State field gets reset to an automatic value. For example, if Joe Smith's lifecycle state is set to Active (Automatic), you can manually change the lifecycle state to Inactive (Manual). If the source value changes from Active to On Leave, the value in IdentityNow changes to On Leave (Automatic).
To configure a lifecycle state to be manually applied:
-
From the Admin dashboard, go to Identities > Identity List.
-
Select the name of the identity you want to edit.
-
Under Overview, select the menu icon
next to the lifecycle state.
-
In the dropdown list, select the lifecycle state to move the user to.
The lifecycle state changes to match what you selected and the method changes to Manual.
Note
The Menu icon is disabled during the time IdentityNow processes your change. Processing could take some time. While you're waiting, you can perform other identity governance tasks. Avoid making changes to the identity that are dependent on a specific lifecycle state.
Lifecycle State Provisioning Retries
Provisioning requests for lifecycle states which fail with a retryable error are automatically retried once per hour, up to 3 times.
Inviting Users to IdentityNow After a Lifecycle State Change
Configure IdentityNow to automatically send invitations to users when they enter a different lifecycle state.
For example, a user might be in a pre-hire lifecycle state before their start date. On their first day on the job, they are moved into the active lifecycle state. The system automatically sends them an invitation to use IdentityNow.
To configure IdentityNow to notify users of lifecycle changes:
-
From the Admin dashboard, go to Identities > Identity Profiles.
-
Select the identity profile you want to edit.
-
Under Invitation Options, select one of the automatic invitation options.
-
Under Send at Lifecycle State, select a lifecycle state and Select Save. IdentityNow sends the invitation to the user when they enter the lifecycle state you selected in step 4.
Note
Only lifecycle states that have been enabled are displayed. If no lifecycle state has been enabled, this field is hidden.
Whenever an identity profile enters a different lifecycle state, IdentityNow sends an email invitation to that user at the email address or addresses you selected. The user receives the email within about an hour, depending on the number of jobs in the queue.
For information on customizing the email template for invitations, see Using Email Templates and Lifecycle State Change Email Template.
Notifying Source Owners of Lifecycle State Changes
The lifecycle states of one or more identities may change or users may be granted roles when identity data is refreshed in your system. A new account will be created on the related source if the lifecycle state is configured for that. If the lifecycle state has not been configured to create new accounts, IdentityNow generates a Task Manager reminder for the owner of the associated source to take additional action on the source.