Skip to content

Setting Up Lifecycle States

Lifecycle states describe a user's status in the organization, which you can use to drive access changes for your users. For example, when a new employee joins your company, IdentityNow can grant them the required access for active employees. When someone leaves the organization, their access can be automatically revoked or their source accounts disabled.

You define them for each identity profile, specifying the access users need in each lifecycle state.

Defining Lifecycle States

Configure the lifecycle states you need for each identity profile. IdentityNow includes active and inactive lifecycle states out of the box. Your business may want additional states based on other stages of employment, such as pre-hire, new hire, leave of absence, or retired.

  1. Go to Admin > Identities > Identity Profile.
  2. Select an identity profile to define lifecycle states for its users.
  3. Select the Provisioning tab.
  4. Select Add at the bottom of the left panel, below the default Active and Inactive lifecycle states.

  5. Enter a name for the new lifecycle state in the Add New Lifecycle State dialog's Name field.

    • The name can contain letters, numbers, and spaces.
    • As you type in the Name field, the Technical Name field below it also gets populated. The technical name is the value that must be set in the Lifecycle State attribute of each identity to assign them to that lifecycle state.

  6. Select OK. The new lifecycle state appears in the list in alphabetical order.

Note

Lifecycle states are disabled by default and must be enabled before identities will be assigned to them.

Configuring Lifecycle States

Lifecycle states can change identities' access by enabling or disabling source accounts and granting access profiles to an identity profile.

To set up a lifecycle state's access requirements:

  1. Go to Admin > Identities > Identity Profile.
  2. Select an identity profile.
  3. Select the Provisioning tab.
  4. Select the lifecycle state from the left panel.
  5. During configuration, clear the Enabled checkbox to ensure the lifecycle state is disabled so its requirements can go into effect at once.

  6. To enable or disable accounts for users who enter this lifecycle state:

    • Under Settings for Previous Accounts, select Configure Changes.
    • Under Account Configuration Options, choose Enable Accounts or Disable Accounts. You can also select both, assigning different sources to each.
    • Choose which sources' accounts to enable or disable from the list of available sources. Select +Add after each selection.

    If you do not want the lifecycle state to enable or disable accounts, select Maintain Status.

    Note

    The enable/disable operations are only enforced when an identity first enters the lifecycle state.

  7. Under Add Existing Access Profile, select the access profiles to be granted to users in this lifecycle state. Selected access profiles are listed in the Access Profiles to Grant table.

    • Selecting New navigates you away from this page to create a new access profile. Save any other updates before proceeding there.

    Note

    Access profile assigned through the lifecycle state are enforced as long as the user remains in that state; if the access gets removed from the identity while they are still in the lifecycle state, IdentityNow provisions it again.

    Important

    • Access profiles granted by a lifecycle state are revoked when a user leaves that lifecycle state unless the same access profile is also assigned by the user's new lifecycle state.
    • Recalculation of users' lifecycle states and the corresponding provisioning actions occurs during event-driven and scheduled identity processing.
    • If an identity has more than one account on a source, the access profiles' multiple account criteria determine which account receives the access.

  8. In the Email Notification List panel, specify who should be notified when an identity changes lifecycle states. Select:

    • Manager to notify the user's manager.
    • All Admins to notify all IdentityNow users with org admin access.
    • Specific Users to specify the notification recipients by email address. To add more email addresses, selecting + Add. Remove email addresses by selecting the ​X icon next to the field.
  9. Return to the top of the lifecycle state configuration and select Enabled to activate the lifecycle state and its configurations.
  10. Select Save.

Handling Large Numbers of Sources

You can configure Enable or Disable actions on up to 40 sources in the user interface (UI). To add more than 40 sources, use the IdentityNow REST APIs for Lifecycle States. While more than 40 sources are included, you will only be able to update this configuration through the API. Use the API to reduce the number of sources to return to using the UI.

Configuring Lifecycle State Notifications

Lifecycle state notifications use the Lifecycle State Change Email Template. You can customize the message following the process described in Using Email Templates.

Assigning Lifecycle States

Identities can be assigned to one lifecycle state at a time. Assigned states can be changed manually by an administrator or through an automatic calculation of their Lifecycle State identity attribute.

Automatically Assigning Lifecycle States

Each identity's Lifecycle State attribute determines the lifecycle state they are assigned to. You can define the mapping for that attribute per identity profile.

  1. Go to Admin > Identities > Identity Profiles.
  2. Select an identity profile.
  3. Select the Mappings tab.
  4. Scroll down to the Lifecycle State (cloudLifecycleState) attribute.

  5. Choose a source and source attribute to use in setting this identity attribute.

    • This attribute must contain values that correspond to the technical names of the identity profile's lifecycle states to assign the user to a lifecycle state. This evaluation is case-sensitive.

    Notes

    • You can verify the technical name on the lifecycle state's provisioning details page. Go to Admin > Identities > Identity Profiles and choose the identity profile. Select the Provisioning tab and select the lifecycle state in the left panel. The technical name appears in parentheses in the Provisioning Settings header.
    • You can configure a transform for this attribute if you need to perform data normalizations on the source value.
    • SailPoint Professional Services or your implementation partner can help you configure a custom rule if you require more complex logic to calculate the Lifecycle State attribute for your users.

  6. Select Save.

  7. Preview one or more identities to verify your mapping.
  8. Select Apply Changes to initiate identity processing for the identity profile to update these identities' lifecycle states. This also initiates provisioning of your lifecycle state requirements.

Viewing and Manually Assigning Lifecycle States

  1. Go to Admin > Identities > Identity List and find the identity whose lifecycle state you want to change.
  2. Select Actions > Set Lifecycle State.
  3. Select a lifecycle state and then select Save.

This automatically initiates lifecycle state provisioning for the user. Processing may take some time. You can perform other identity governance tasks, but avoid making changes to the identity that are dependent on a specific lifecycle state while it updates.

When a user's lifecycle state has been changed through a manual action, the lifecycle state displays (Manual).

Important

The manual setting is applicable as long as the underlying value on the source doesn't change. When the value on the source changes, the Lifecycle State field gets reset to an automatic value.

For example, if Joe Smith's lifecycle state is set to Active (Automatic), you can manually change the lifecycle state to Inactive (Manual). If the source value then changes from Active to OnLeave, the value in IdentityNow changes to OnLeave (Automatic).

Note

You can also manually assign an identity a lifecycle state on the identity’s details page. From the Identity List, select an identity. In the Overview section, find the Lifecycle State attribute, and select a value from the Actions menu for that row. Users of the updated Identity Details experience can select the Edit icon for the Lifecycle State attribute and choose a lifecycle state.

Lifecycle State Exception Cases

Users' lifecycle states may be null or set to an invalid value. In those cases, you will see one of these status messages.

Lifecycle State Status Explanation
Lifecycle State Not Set IdentityNow has not set a lifecycle state either because the Lifecycle State attribute is not mapped for the identity profile or because the mapped value is null for the identity.
Lifecycle State Not Valid The lifecycle state attribute's value for this identity does not match one of the lifecycle states defined for their identity profile.
Lifecycle State Does Not Match Technical Name Case The value of the identity's Lifecycle State attribute does not match the technical name for a defined lifecycle state due to case-sensitivity. The identity attribute should be set to match the technical name of a lifecycle state exactly. For example, the active lifecycle state will not be assigned to an identity whose Lifecycle State attribute value is Active.

Lifecycle State Provisioning Retries

Provisioning requests for lifecycle states which fail with a retryable error are automatically retried once per hour, up to 3 times.

Inviting Users Based on Lifecycle State

You can configure IdentityNow to automatically send new user invitations when they enter a specified lifecycle state. For example, your identities might be created in a pre-hire lifecycle state before their start date. On their first day on the job, when they move into the active lifecycle state, IdentityNow can automatically send them an invitation. Refer to Inviting Users Automatically for details.