===== Identity life cycle (ILC) ===== It is a **contract** that defines the link between an identity and a tree structure. Also, a contract plays a significant part in assigning a role to an identity. Every identity has at least one contract, as **a (manually assigned or automatic) role is always assigned to a contract, not directly to an identity**. ==== Default settings ==== - a default contract is established automatically once an identity has been created - provided a default element of the organizational structure is pre-configured, an identity is placed in this position within the structure when creating a default contract - if there is no selected default element of the structure, the identity is "placed" in a position titled **"Default"** WITHOUT being included in the organizational structure. ==== Search managers by CR ==== Managers can be looked up through: * tree structures - identity with a on the tree node above. * a direct contract manager - supervisors. {{ :devel:documentation:identities:adm:managers.png?600 |}} ===== HR processes: End of contracts, and invalid contracts ===== HR processes depend on the state of a contract and its validity. ==== Prime contract position ==== A contract can be flagged as "main". There can be more than one contract flagged as main, or none at all. ==== States of a contract ==== Contracts can be: - valid - valid but ''EXCLUDED'', provided the ''validFrom'' and ''validTill'' attributes are filled. Roles assigned to this contract are not removed - accounts on target systems remain intact. Roles assigned to this contract are not added to a logged identity - invalid or with the ''DISABLED'' attribute - in a "null" state, if no values are entered in the ''validFrom'' and ''validTill'' attributes TERMINATION * **When a contract is terminated or invalidated**, all the roles coupled with this contract will cease to exist as well. * **Once terminated**, all assigned roles for a given contract are removed. INVALID CONTRACTS * **When a contract is invalid**, all assigned roles for this contract – be they automatic or manually assigned – are removed. No roles can be assigned to an invalid contract. * **For a periodic review of invalid contracts**, the ''IdentityContractExpirationTaskExecutor'' task can be used and scheduled. * **Once a contract becomes valid again**, then all automatic roles are assigned again. {{ :devel:documentation:identities:adm:task.png?800 |}} DISABLED IDENTITY AND REACTIVATION * **When an identity’s last contract is removed or all contracts are invalid or excluded**, then the identity is disabled. Once the contract becomes valid once again or a new valid contract is added, the identity is activated again. CONTRACTS WITH TIME SLICES * Note that contracts cannot be modified or removed when they contain some time slices (i. e., are controlled by slices). Only when the **last slice** of the contract is deleted, can the contract be deleted, too. See more on time slices [[devel:documentation:contracts:adm:contract_time_slices|here]]. ==== These HR automatic processes can be executed in two ways:==== - the process is executed as soon as an identity’s contract is changed (active operation)\\ - long running tasks are scheduled, mainly over night. So while the contract change is saved during the synchronization from a source system, the respective HR processes are executed separately afterwards ==== Other contractual positions ==== Other contractual positions which can be set are used just for the assignment of automatic roles by the tree structure. \\ Note: the filtering and evaluating of managers and subordinates through other contractual positions is not supported. ===== Roles, organizations, and contracts ===== === Linking a role to the organizational structure === Everyone authorized to edit a role can assign the role to a component of any organizational structure. Such an action, of assigning/removing a role to a structural component, is subject to the same approval as when an ordinary user is to be assigned a role. Once the approval is granted, this amounts to a sort of "pre-approval" for all the users incorporated within the organizational structure. From then on, assigning a role to a user does not require a special approval (it had been approved for the entire organizational unit in which a user is situated). === Displaying information about automatically assigned roles === The information about the roles linked to the organizational structure are displayed in these sections: * In the structure component detail, there is a list of roles which have been assigned to it * For every role, a list of structural components (the whole path in the tree), for which the role is automatically assigned to users, is displayed. * For every user, there is a list of assigned roles that they have been granted automatically. ===== Audit ===== All changes regarding roles coupled with organizational structures are audited. The log provides this information: * changes in roles, new automatic rules * references to the process through which changes had occurred: synchronization or via the web