CzechIdM is quite versatile. The same workflow processes are executed as either

  • HR processes, 
  • or long running tasks. 

The difference between the two is in the time of execution: processors execute a process immediately as soon as an identity contract is changed (active operation), whereas long running tasks are scheduled to be executed mostly over night. So only the contract change takes effect (is saved), while the HR processes are executed separately. You can configure the preferred manner: a processor can be disabled, long running tasks can be scheduled, and vice versa.

In this text, we outline the core set of HR processes delivered by CzechIdM. Granted, these can be customized and extended to fit your needs. All these HR processes can be started automatically once a contract relationships synchronization session has been concluded correctly.

The process initiates for every identity contract that has become valid only recently (meaning it was not valid before). If an identity, the owner of the contract, was previously disabled, the process now sets the identity state to VALID. This process does not address automatic role assignment, as that is done by an internal feature automatically.

The process is initiated for every contract that has recently turned invalid (meaning it was valid, but now it's not any more). The new identity state is evaluated, and if the processed contract happens to be the last valid contract of the respective identity, its state is changed to LEFT, and the identity is disabled. All previously assigned roles - to the terminated contract that is - are removed as a result of this process.

The validity of a contract is evaluated by two factors:

  1. the current date is between or equal to the time validity of a contract
  2. contract state - DISABLED, EXCLUDED

Both 'Enabled contract' and 'End of contract' processes are merely concerned with the aspect of the time validity of a contract. In contrast, 'Contract exclusion' deals with a situation when a contract is valid from the point of view of time, and yet it is in the state EXCLUDED (manually or as a result of synchronization from an authoritative data source). The process starts for all contracts that are excluded. New identity states are evaluated, and if the processed contract happens to be an identity’s last valid but not-excluded contract, the identity state is set to DISABLED. No roles are removed in this process, nor by standard CzechIdM features.

Whenever an identity's contract is linked to a placement in the organizational structure, all default roles related to the placement are assigned to the identity’s contract. This feature is referred to as automatic roles assignment. Automatic roles needn’t go through a role approval process, and are assigned immediately. If a contract is to start in the future, all automatic roles are assigned anyway, but the validity date of each role is nonetheless tied to the validity of contract as such.

Once the placement of a contract is removed or changed, CzechIdM recalculates all assigned automatic roles. For any new work placements, an assignment process is executed anew, and consequently, all automatic roles related to the new placements are assigned. At the same time, all automatic roles linked to the original placement are removed from the identity. Only the default roles for both the new and old work placement remain unchanged.