Setting Up Lifecycle States
Lifecycle states describe a user's status in the organization, which you can use to drive access changes for your users. For example, when a new employee joins your company, Identity Security Cloud can grant them the required access for active employees. When someone leaves the organization, their access can be automatically revoked or their source accounts disabled.
You define them for each identity profile, specifying the access users need in each lifecycle state.
Defining Lifecycle States
Configure the lifecycle states you need for each identity profile. Identity Security Cloud automatically includes active and inactive lifecycle states. Your business may want additional states based on other stages of employment, such as pre-hire, new hire, leave of absence, or retired.
- Go to Admin > Identity Management > Identity Profiles.
- Select an identity profile to define lifecycle states for its users.
- Select the Provisioning tab.
- Select Add at the bottom of the left panel, below the default Active and Inactive lifecycle states.
-
Enter a name for the new lifecycle state in the Name field.
- The name can contain letters, numbers, and spaces.
- As you type in the Name field, the Technical Name field below it also populates. The technical name must be set in the Lifecycle State attribute of each identity to assign them to that lifecycle state.
-
Select OK. The new lifecycle state appears in the list in alphabetical order.
Note
Lifecycle states are disabled by default and must be enabled before identities will be assigned to them.
Configuring Lifecycle States
Lifecycle states can change identities' access by enabling or disabling source accounts and granting access profiles to the identities in an identity profile.
To set up a lifecycle state's access requirements:
- Go to Admin > Identity Management > Identity Profiles.
- Select an identity profile.
- Select the Provisioning tab.
- Select the lifecycle state from the left panel.
-
To enable or disable accounts for users who enter this lifecycle state:
- Under Settings for Previous Accounts, select Configure Changes.
- Under Account Configuration Options, choose Enable Accounts or Disable Accounts. You can also select both, assigning different sources to each.
- Choose which source accounts to enable or disable from the list of available sources. Select + Add after each selection.
If you do not want the lifecycle state to enable or disable accounts, select Maintain Status.
Note
The enable and disable operations are only enforced when an identity first enters the lifecycle state.
-
Under Add Existing Access Profile, select the access profiles to be granted to users in this lifecycle state. Selected access profiles are listed in the Access Profiles to Grant table.
- Selecting + New navigates away from this page to create an access profile. Save your updates before proceeding.
Note
Access profiles assigned through a lifecycle state are enforced as long as the identity remains in that state. If an access profile is removed from an identity while they are still in the lifecycle state, the access will be provisioned again.
Important
- Access profiles granted by a lifecycle state are revoked when a user leaves that lifecycle state unless the same access profile is also assigned by the user's new lifecycle state.
- Recalculation of users' lifecycle states and the corresponding provisioning actions occurs during event-driven and scheduled identity processing.
- If an identity has multiple accounts on a source, the access profiles' multiple account criteria determine which account receives the access.
-
In the Identity State panel, select the state identities in this lifecycle state will have. Your selection may exclude identities from specific features and processes in Identity Security Cloud. Refer to Identity State Overview to learn more about these states.
You may choose from the following identity states:
-
Active - Identities in this state are either joining or currently working for your organization. Active identities can be selected or governed in all services. Only Active identities can be selected in the Request Center or from the Team Members list on the My Team page. If configured, changes to Active identities might trigger attribute sync.
-
Inactive (short-term) - Identities in this state might be on leave or in the process of separating from your organization. Scheduled processing or manual identity processing for changes to roles, access profiles, and apps applies to Inactive (short-term) identities. If configured, changes to Inactive (short-term) identities might trigger attribute sync.
-
Inactive (long-term) - Identities in this state have separated from your organization and will not appear in most services. Inactive (long-term) identities are excluded from attribute sync. If an Inactive (long-term) identity requires synchronization, administrators can manually initiate attribute sync by selecting the Synchronize Attributes action for the individual identity in the Identity List. This action can also be performed by making an API call using the Attribute synchronization for single identity endpoint.
Notes
-
An identity’s identity state is automatically set to Active if:
-
the identity does not have an assigned lifecycle state.
-
the identity’s assigned lifecycle state does not have a configured identity state.
-
-
By default, existing lifecycle states have their identity state value set to
null
.
-
-
In the Email Notification List panel, specify who should be notified when an identity changes lifecycle states. Select:
- Manager to notify the user's manager.
- All Admins to notify users with org admin access.
- Specific Users to specify the notification recipients by email address. To add more email addresses, select + Add. Remove email addresses by selecting the X icon next to the field.
- Return to the top of the lifecycle state configuration and select Enabled to activate the lifecycle state and its configurations.
- Select Save.
Handling Large Numbers of Sources
You can configure Enable or Disable actions for up to 40 sources in the user interface. To add more than 40 sources, use the REST APIs for Lifecycle States.
Configuring Lifecycle State Notifications
Lifecycle state notifications use the Lifecycle State Change Email Template. You can customize the message by following the process described in Using Email Templates.
Assigning Lifecycle States
Identities can be assigned to one lifecycle state at a time. Assigned states can be changed manually by an administrator or through an automatic calculation of their Lifecycle State identity attribute.
Automatically Assigning Lifecycle States
Each identity's Lifecycle State attribute determines the lifecycle state they are assigned to. You can define the mapping for that attribute per identity profile.
- Go to Admin > Identity Management > Identity Profiles.
- Select an identity profile.
- Select the Mappings tab.
- Scroll to the Lifecycle State (cloudLifecycleState) attribute.
-
Choose a source and source attribute to use in setting this identity attribute.
- This attribute must contain values that correspond to the technical names of the identity profile's lifecycle states to assign the user to a lifecycle state. This evaluation is case-sensitive.
Notes
- You can verify the technical name on the lifecycle state's provisioning details page. Go to Admin > Identities > Identity Profiles and choose the identity profile. Select the Provisioning tab and select the lifecycle state in the left panel. The technical name appears in parentheses in the Provisioning Settings header.
- You can configure a transform for this attribute if you need to perform data normalizations on the source value.
- SailPoint Professional Services or your implementation partner can help you configure a custom rule if you require more complex logic to calculate the Lifecycle State attribute for your users.
-
Select Save.
- Preview one or more identities to verify your mapping.
- Select Apply Changes to initiate identity processing for the identity profile to update these identities' lifecycle states. This also initiates provisioning of your lifecycle state requirements.
Viewing and Manually Assigning Lifecycle States
You can also manually change the lifecycle state for an identity. Lifecycle states changed through a manual action display (Manual).
- Go to Admin > Identity Management > Identities and find the identity whose lifecycle state you want to change.
- Select Actions > Set Lifecycle State.
- Select a lifecycle state and then select Save.
Tip
You can also manually assign an identity a lifecycle state on the identity’s details page. From the Identities page, select an identity. In the first section, select the Edit Lifecycle State icon for the Lifecycle State attribute and choose a lifecycle state.
This automatically initiates lifecycle state provisioning for the user. Processing may take some time. You can perform other identity governance tasks, but avoid making changes to the identity that are dependent on a specific lifecycle state while it updates.
Notes
-
The manual setting is applicable as long as the underlying value on the source doesn't change. When the value on the source changes, the Lifecycle State field gets reset to an automatic value.
For example, if Joe Smith's lifecycle state is set to Active (Automatic), you can manually change the lifecycle state to Inactive (Manual). If the source value then changes from Active to OnLeave, the value in Identity Security Cloud changes to OnLeave (Automatic).
-
If a source owner manually updates the lifecycle state for their own identity, Identity Security Cloud creates a manual provisioning task and assigns it to an org admin. A work reassignment is also automatically created to prevent the source owner from being assigned the task.
Lifecycle State Exception Cases
A user's lifecycle state may be null or set to an invalid value. In these cases, a status message displays.
Lifecycle State Status | Explanation |
---|---|
Lifecycle State Not Set | A lifecycle state has not been set because the Lifecycle State attribute is not mapped for the identity profile or the mapped value is null for the identity. |
Lifecycle State Not Valid | The lifecycle state attribute's value for this identity does not match one of the lifecycle states defined for their identity profile. |
Lifecycle State Does Not Match Technical Name Case | The value of the identity's Lifecycle State attribute does not match the technical name for a defined lifecycle state due to case-sensitivity. The identity attribute should be set to match the technical name of a lifecycle state exactly. For example, the active lifecycle state will not be assigned to an identity whose Lifecycle State attribute value is Active. |
Lifecycle State Provisioning Retries
Provisioning requests for lifecycle states which fail with a retryable error are automatically retried once per hour, up to 3 times.
Inviting Users Based on Lifecycle State
You can configure Identity Security Cloud to automatically send new user invitations when they enter a specified lifecycle state. For example, your identities might be created in a pre-hire lifecycle state before their start date. On their first day on the job, when they move into the active lifecycle state, Identity Security Cloud can automatically send them an invitation. Refer to Inviting Users Automatically for details.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.