Account Deactivation Process
Every user eventually leaves, for one reason or another. To support this, a range of access deactivation processes must be supported by identity and access management systems.
Several processes are available for timely and reliable user access deactivation. Choice of the appropriate process depends on organization business requirements and preferences:
- Scheduled termination
Some workers, such as contractors, summer students and temporary staff, have pre-defined termination dates. These dates can be entered or loaded into Hitachi ID Identity Manager.
A scheduled batch process runs periodically on the Identity Manager server and checks for scheduled terminations. It can send e-mails to managers in advance, allowing them to update termination dates (e.g., defer them). It can disable users whose termination date has passed and it can delete, move or reassign accounts, mail boxes, home directories etc. for users who have been disabled for a sufficiently long amount of time.
- HR-initiated termination
HR staff can mark employees and contractors (note) either with a termination date, which is processed as described above or as already terminated. The Identity Manager automation engine can periodically poll the HR system for such changes and automatically disable login access for every newly-terminated user.
- Manager-initiated termination
Managers can use the same change request process to request updates to a user's termination date and status. This can be used to schedule or defer termination or to request immediate deactivation. Requests are routed to authorizers by e-mail, who respond on a secure, authenticated web form. Once deactivation requests are approved and/or a user's termination date has elapsed, all login IDs for the indicated user are disabled.
- Urgent termination
A web-based user management interface allows security administrators to terminate access to any user, on any combination of systems, immediately. This is used for urgent termination scenarios.
- Request-driven access deactivation
Users can sign into the request portal and ask to remove specific access rights in their own user profiles (they rarely do this) or the profiles of their subordinates or others within their scope of authority.
- Access certification
Managers, resource owners and others can be invited to periodically, or in response to an event such as a transfer, review users and their entitlements, certifying some and flagging others for removal. Items flagged for removal may be subject to further approval before being deactivated.
Access deactivation processes are closely linked to rehire scenarios where returnees must be automatically identified and either reactivated or blocked from returning, depending on their status when they last left the organization.
Identity Manager can be used to automate both urgent and scheduled access deactivation.