Account Deactivation Process
Every user eventually leaves, for one reason or another. To support this, a range of access deactivation processes must be supported by identity and access management systems.
Several processes are available for timely and reliable user access termination. Choice of the appropriate process depends on organization business requirements and preferences:
- Scheduled access termination
Some workers, such as contractors, summer students and temporary staff, have pre-defined termination dates. These dates can be entered or loaded into Hitachi ID Identity Manager.
A scheduled batch process runs periodically on the Identity Manager server and checks for scheduled terminations. It can send e-mails to managers in advance, allowing them to update termination dates (e.g., defer them). It can disable users whose termination date has passed and it can delete, move or reassign accounts, mail boxes, home directories etc. for users who have been disabled for a sufficiently long amount of time.
- HR-initiated access termination
HR staff can mark employees and contractors (note) either with a termination date, which is processed as described above or as already terminated. The Identity Manager automation engine can periodically poll the HR system for such changes and automatically disable login access for every newly-terminated user.
- Manager-initiated access termination
Managers can use the same change request process to request updates to a user's termination date and status. This can be used to schedule or defer termination or to request immediate deactivation. Requests are routed to authorizers by e-mail, who respond on a secure, authenticated web form. Once deactivation requests are approved and/or a user's termination date has elapsed, all login IDs for the indicated user are disabled.
- Urgent access termination
A web-based user management interface allows security administrators to terminate access to any user, on any combination of systems, immediately. This is used for urgent termination scenarios.
Access deactivation processes are closely linked to rehire scenarios where returnees must be automatically identified and either reactivated or blocked from returning, depending on their status when they last left the organization.
Identity Manager can be used to automate both urgent and scheduled access deactivation.