The termination process is triggered when HR terminates the employee account and access in HRMS. IDM reconciles the data from HRMS and disables the user account's profile in IDM and all the corresponding target systems.

Use Case

Terminate User - Day 0

Use Case

Terminate User - Day 0

Brief DescriptionTerminate user process is initiated when HR terminates the user accounts and its accesses in HRMS. IDM reconciles the records from HRMS and detects the termination and disables the user account's profile in IDM and corresponding target system.

Actors

  • HR

  • Access Management
  • IT
  • Target Systems

Trigger Events

  • HR terminates the user in HRMS

  • Current Status= A/P/L
  • New Status = D/Q/R/S/T/U

  • IDM reconciles the record from HRMS into IDM

Preconditions

  • User record exists in IDM inactive state

Post-Conditions

Success

  • IDM makes necessary changes in Target Systems for terminated accounts
  • User status is changed to Disabled.
  • No Roles are removed on 0 Day
  • Accounts statuses are changed to Disabled on 0 Days

Fail

  • IDM does not disable the identity upon termination

  • Failed to disable accounts which are in a provisioned state

Basic Flow
  • Upon receipt of records with Terminate status from HRMS, IDM disables the user account in stages
    • A new 'Prevent HRMS Updates' flag is added in IDM to prevent updates from HRMS from overwriting a change to a user record in IDM if the user is terminated for cause
    • A new 'Legal Hold' flag is added in IDM to prevent updates from HRMS. If a Legal Hold is identified, the IDM Account remains disabled if the Legal Hold flag is checked.
  • The IDM Termination process is triggered upon receipt of the following HR Flags in the HRMS record. If the HRMS record received contains any of the HR Flags, the IDM user identity becomes disabled and the termination process schedule is initiated.
    • DeceasedDisabled 
    • retired with PayDisabled 
    • RetiredDisabled 
    • TerminatedDisabled 
    • Terminated with PayDisabled 
    • SuspendedDisabled 


The basic flow for the termination process is explained in the below activity diagram:

On the day of termination

  • IDM account status is changed from ACTIVE to DISABLED
  • IDM sets the de-provisioning date as 95 days after the current date
  • IDM disables the account on all core connected systems (Active Directory, Exchange, Exchange Online, West Mainframe, CCure, EPS) 
  • IDM disables all remote access  


Terminate User - Day 10

Use Case

Terminate User - Day 10

Brief DescriptionTerminate user process is initiated when HR terminates the user accounts and its accesses in HRMS. IDM reconciles the records from HRMS and detects the termination and disables the user account's profile in IDM and corresponding target system.

Actors

  • IDM

  • Target Systems

Trigger Events

  • Removing roles, entitlements, manager info from the user profile

Preconditions

  • User record exists in IDM inactive state

Post-Conditions

Success

  • IDM makes necessary changes in Target Systems for terminated accounts
  • Manager details are removed from User Profile

Fail

  • IDM does not disable the manager information

  • Failed to remove entitlements, roles which are in a provisioned state

Basic Flow

After 10 days of termination

  • IDM runs a scheduled job to remove all Active Directory Group memberships, except Office365 which remains until the account is revoked
  • Removes all the:
    •  Manager's information from the User profile 
    • Entitlements for users that have passed 10 days of the grace period (as specified in metadata) except Office365 
    • Roles requested through the Catalog for users that have passed the 10-day grace period (as specified in metadata)
  • Sends a notification and request ID to the Application Fulfiller to remove all accounts on disconnected systems within 30 days. Depending on application metadata rules, the access will either be revoked or disabled. 
  • Policy Violations are triggered if accounts are not revoked in the designated timeframe. 


Terminate User - Day 30

Use Case

Terminate User - Day 30

Brief DescriptionTerminate user process is initiated when HR terminates the user accounts and its accesses in HRMS. IDM reconciles the records from HRMS and detects the termination and disables the user account's profile in IDM and corresponding target system

Actors

  • IDM

Trigger Events

  • Notification trigger for fulfillment roles

Preconditions

  • User record exists in IDM inactive state

Post-Conditions

Success

  • Notification trigger for fulfillment roles successful
  • Policy violation triggered

Fail

  • Notification trigger for fulfillment roles unsuccessful
  • Policy violation not triggered
Basic Flow

After 30 days of termination

    • IDM runs a scheduled job to notify application fulfillment roles that the removal requests are still pending. 
    • A Policy Violation is triggered, and notification is sent to Security Controls Administrators.



Terminate User - Day 90

Use Case

Terminate User - Day 90

Brief DescriptionTerminate user process is initiated when HR terminates the user accounts and its accesses in HRMS. IDM reconciles the records from HRMS and detects the termination and disables the user account's profile in IDM and corresponding target system. IDM disables the user profile and sets the de-provisioning date as 95 days after the current date

Actors

  • IDM
  • Target Systems
  • Badge (CCure)

Trigger Events

  • Remove the AD Home Drive
  • Revokes disabled core connected systems access

Preconditions

  • User record exists in IDM inactive state

Post-Conditions

Success

  • Disabled core connected systems access revoked
  • Physical Badge remains disabled

Fail

  • Disabled core connected systems access not revoked
  • Physical Badge not disabled
Basic Flow

After 95 days of termination

  • IDM runs a job that revokes disabled core connected systems access. Physical Badge shall remain Disabled. 
  • Sends a notification to remove the AD Home Drive 


Diagram

The diagram below illustrates the basic flow to terminate the user process.



TopicsQuestionsResponse
Brief descriptionA brief description only focuses on the de-provisioning date. IDM disables the user profile and sets the de-provisioning date as 95 days after the current date
Post Conditions-
  • Fail
  • IDM does not disable the identity upon termination
There is another scenario which should be considered as failure-
Failed to disable accounts which are in a provisioned state
Post Conditions-
  • Success
  • Email Notification:
    • Terminated User’s Manager will receive: Offboarding Email Notification
    • If the user is Nuclear:
Notify ITServiceDesk(Role: NOTIFY_IT_SERVICE_DESK_Role) as per email template : Exelon Notification on Nuclear User Termination
  • Home Drive remove Email Notification- IT Service Desk
Need an email template detail for each notification.
The template should have the following detail-
Mail Subject, Mail Body, Mail Signature, Sender DL/email, and Recipient DL/email
Basic Flow-
After 10 days of termination-		Is there a separate requirement for 10-day revocation and 10-day disable?
Basic FlowDo we have separate requirements for 0-day revocation,10-day revocation,30-day revocation, and 95-day revocation of Entitlement or accounts?
As per the current state of system Entitlements, Accounts or Roles there is no field/metadata which holds information like 0-Day revocation,10-day revocation,30-day revocation, or 95 days revocation.

There should be a separate requirement for employee status change from A/L/P to S (suspended).
Is there any specific requirement for different status changes other than the one mentioned above?
After 30 days of termination-Need clarity on who will create tickets to revoke all disconnected accounts and assign them to whom.