In many organizations, there is a need to support a variety of "re-hire" scenarios. These can be broken down into several types:
- A user is terminated and should never be rehired.
- A user is leaves but may be re-hired in the future.
- A user takes an extended leave and may return after several months or years.
- A user changes status -- for example, a contractor becomes an employee or a student becomes a faculty member.
In each case, there are three components to the process:
- Set status attributes at the time of termination -- for example "user may be rehired" or "user should never be allowed back."
- Retain enough information about the user to both identify him again in the future and examine his departure status.
- When onboarding new users, check to see if they are actually new entries for old users and process accordingly.
Hitachi ID Identity Manager supports these scenarios with a number of key features:
- User profile attributes contain identity attributes, which may include termination status.
- Identity attributes are subject to ACLs. For example, users may not be able to see their termination status, even if it is set before they leave.
- User profiles can be retained indefinitely. This in particular is supported by the Hitachi ID Systems licensing model, which does not charge for users who are (a) gone and (b) no longer have login IDs on any integrated target system. In other words, "empty profiles" are free.
- Identity Manager access request forms support plug-in points, which can be used to search existing user profiles for pre-existing records of supposedly-new hires. Customers can implement their own search logic in these plug-ins and block matches. For example, a user may fill in an access request form for a (supposedly) new contractor and a plug-in will search for pre-existing profiles that have the same first name, last name and date of birth or an existing profile with the same social security number, etc.
- The Identity Manager API includes functions that search for matching user profiles, which are needed by this type of plug-in request validation program.
The user experience with these components depends on the business process in question:
- A user mistakenly trying to provision a new user for someone who
already has a terminated user profile record:
- Will be blocked from completing the new-user onboarding process.
- Will be informed about whether bringing back the old user is allowed.
- Will be informed of the old user profile's identifier.
- The user experience when interactively trying to reactivate an
old profile (i.e., knowing that the new user is a returning old user)
- The user experience when an automated process consumes a data feed (examples: HR data or student database) which includes "re-hired" users is that these users are not automatically provisioned and instead an e-mail is sent to a human user to sort of what to do about each one.
Identity Manager can be used to track identity attributes and information about the circumstances under which a user left an organization. It can then detect and block onboarding of returning users, instead prompting users to either reactivate the returning user's old profile or to halt the process, since the user in question should not be allowed back.