Lifecycle Business Rules
Lifecycle Business is an HR model that defines the various stages in which a worker progresses within an organization. Lifecycle Business Rules provides four stages:
- Hire, Rehire
- Change of Role
- Termination
- Leave:
- Long term leave
- FMLA (Family and Medical Leave Act)
- Legal
- Security and Discipline
You can select the Employee Lifecycle required for your business use cases. At the runtime, the workflow will only process employee which match the selected stages.
Hire, Rehire¶
Create or reactivate user in Identity Platform upon hire or rehire. Using this operation, you can create an Employee profile in the Identity Platform when an employee is created in HR system.
Choose password format - You can select one of the formats for the password you intend to create for a newly onboarded user.
-
A common password for ALL Employees - Select the "a common password for ALL Employees" format. It will provide the text area in which you can map from HR Profile or put user input value for password. You can also put some conditions using excel function.
Figure 3. Choosing a common password during Hiring or Rehiring user in AD -
Unique System generated password - Choose the initial password length to match your identity platform password policy. Password is randomly generated according to the provided length.
Figure 4. Choosing system generated password length during Hiring or Rehiring user in AD
Select User Account Control - You can select the user account control of the user from the dropdown which you want to assign to the user in Identity Platform during onboarding process. The user account control available in Hire2Retire are:
- 512 - Account Enabled: The user account is active and enabled.
- 66048 - Account Enabled, Password Never Expires: The user account is active and enabled, with the password set to never expire.
Require user to change their password when they first sign in - This checkbox will prompt the user to change their password upon their initial login. It is selected by default. You can unselect it to not require the user to change their password.
Write back work email to HR system during new hire/rehire process
- Since this feature is compatible only with specific API based HR systems, if this option is available and selected in your workflow, then the Identity Platform will first generate emails for newly onboarded employees. These emails will then be recorded in the business email field within HR applications.
For Rehire, to update your work email in the HR system, you need to deselect the primary email field from the non-updatable fields. By default, this field is non-updatable, but once deselected, you can update the email information in the Identity Platform. The new email address will then be recorded in the business email field within the HR applications.
Exclude Employee Attributes on Rehiring - The workflow would update employee attributes on rehiring if any attributes changed in HR platform. You can select not to change some attributes during rehiring.
Handling of Group Membership : For Rehire, groups which are added manually ( not with H2R ) to the user will be preserved, only the one mapped in group membership step will be added/removed according to the condition specified in that step.
Pre-boarding & On-boarding¶
Select the time to execute preboarding and onboarding - This field allows you to select when the preboarding or onboarding event should occur. You can use the lookup table (highlighted in red) to define scenarios based on specific attributes. If the conditions are met, the chosen timestamp will be applied. If not, the event will default to the pre-set timestamp.
Days in advance of start date to pre-board employee - This field is used to enhance the pre-boarding experience for the IT team. Select the number of days before the start date of the new hire that you would like Hire2Retire to create an account for them. If this number depends on details like 'Department' or 'Location,' you can use the lookup table icon to set different rules for different situations.
By default employee is created in disable state, uncheck to enable employee upon creation - This checkbox is visible when you select any number of days from the dropdown 'Days in advance of start date to pre-board employee'. This checkbox ensures that the user is created in disabled state during preboard event. It is selected by default. You can unselect it to create the user in enabled state.
Time in advance of start date time to enable the account
- This checkbox is visible when you select any number of days from the dropdown 'Days in advance of start date to pre-board employee'. The checkbox (highlighted in blue) is used to select the time (4, 8, or 12 hours) before the start date time to enable the account.
Change of Role¶
Update user in Identity Platform when employee is updated in HR system. Using this operation, you can update an Employee profile in the Identity Platform when employee is updated in HR system.
Handling of Group Memberships¶
The group memberships of employee's profile will be updated with the change of role operation based on the below selection.
Retain all groups NOT defined in group mapping automation - Groups which are added manually ( not with H2R ) to the user will be preserved, only the one mapped in group membership step will be added/removed according to the condition specified in that step.
Retain ALL existing groups - None of the existing group memberships will be removed and only new groups memberships will be added.
Do not retain any existing groups - All the existing group memberships will be removed and new groups memberships will be added.
Retain below selected groups - The selected group memberships will not be removed, rest will be removed along with the addition of new group memberships.
In a multi-domain controller setup, when selecting the 'Retain below selected groups' option under 'Handling of group memberships', you can select Groups for any of the base DNs in your AD.
Exclude Employee Attributes on Updating - The selected attributes will not be considered when updating an employee profile.
Write back work email to HR system when mail is updated - Since this feature is compatible only with specific API based HR systems, if this option is available and selected in your workflow, then note that primary email field is set as non-updatable by default, However, you can deselect this field to update the email information in the Identity Platform, which will then be reflected in the business email field in HR applications.
Termination¶
Terminate user in Identity Platform when employee is terminated in HR system. Using this operation, you can terminate an Employee account in the Identity Platform when an employee is terminated in HR system.
Choose OU for terminated user - All terminated users will be moved to the selected user group. By default, the "Do not change OU" option is selected which does not change the OU of the user upon termination.
Selected attributes will be purged on termination - All the selected Identity Platform attributes will be purged upon termination. The values of unselected attribute(s) will be preserved as it is.
Set Description on termination - Users can choose to add description on employee's profile upon termination. This is be an optional field. With the lookup table (highlighted in red), you can set conditions based on attribute values. If the conditions are satisfied, the specified description will be applied. If not, the event will use the default description.
Note: Set Description on Termination feature will not work if the user has selected the description attribute for purging or excluded description attribute update on terminating.
And, if you have enabled 'Enable pre-boarding, future hires and scheduled terminations' on Application page then below mentioned options will be provided in the design.
Scheduled Terminations¶
Employee termination time
- Choose preferred time to schedule the termination record of the employee. In this, the termination event will take place on the scheduled time.
With the lookup table (highlighted in red), you can set conditions based on attribute values. If the conditions are satisfied, the specified timestamp will be applied. If not, the event will use the default timestamp.
Day(s) to terminate after the last day worked
- Select the number of day(s) by which you want to delay the offboarding of an employee after their termination date. By default, none option is selected, you can modify it as per the requirements.
Using the lookup table (highlighted in red), you can set conditions based on attribute values. If the conditions are satisfied, the number of days specified will be applied. If not, the event will use the default number of days.
Support Immediate Termination - Based on the provided condition, employee will be terminated effectively irrespective of the last day.
Handling of Group Memberships¶
The group memberships will be updated upon terminating an employee profile based on the below selection.
Remove ALL assigned groups - All the assigned group memberships will be removed.
Retain ALL assigned groups - None of the existing group memberships will be removed.
Remove selected groups - The selected group memberships will be removed, rest will be preserved as it is.
Retain selected groups - The selected group memberships will be preserved, rest will be removed.
Remove directly assigned Microsoft licenses - All directly assigned microsoft licenses will be unassigned from the user. If it is unchecked, we will not touch any directly assigned licenses.
Note: For Hybrid AD flows, the checkbox "Remove directly assigned Microsoft licenses" will only be visible when the 'Entra ID Security Groups' option is selected on the application page.
Give another user access to OneDrive - An employee's OneDrive can be shared with another user upon termination. For more information click here.
Convert user mailbox to shared mailbox - Mailbox of employee will be converted to shared mailbox upon termination. For more information click here.
In a multi-domain controller setup, when selecting the 'Retain selected groups' and 'Remove selected groups' option under 'Handling of group memberships', you can select Groups for any of the base DNs in your AD.
Delete account after the aging period
- User account will be deleted from Identity Platform after the specified aging period. Only the terminated employee account which match the criteria will be deleted. If none of the criteria matches, then default aging period will be selected.
Exclude Employee Attributes on Terminating - The workflow would update employee attributes on termination if any attributes changed in HR platform. You can select not to change some attributes on termination.
Leave¶
An organisation can have multiple type of leave for their employees. Hire2Retire supports multiple type of leaves to choose from. Each type can be configured to specify employee's access differently for different leave types based on the requirement.
- Long-Term Leave: Long-term leave refers to an extended period off from work, usually beyond a few weeks or months. It could be due to medical reasons, maternity/paternity leave, sabbaticals, or other personal reasons. It is the general type of leave and is currently supported in Hire2Retire
- FMLA (Family and Medical Leave Act): FMLA is a federal law in the United States that entitles eligible employees of covered employers to take unpaid, job-protected leave for specified family and medical reasons with continuation of group health insurance coverage under the same terms and conditions as if the employee had not taken leave.
- Legal Leave: Legal leave refers to type of leave that is granted to an employee as required or protected by law. This could include leave for jury duty, military service, voting, or other legally mandated absences.
- Security and Disciplinary Leave: Security and Disciplinary leave is a type of leave that is imposed as a result of disciplinary action taken against an employee for misconduct or violation of company policies.
According to the leave types chosen, you can configure the below properties. You can configure one or many type of leaves according to the usage.
If you have selected an ATS System then you will not be provided with the leave operation.
Disable User - (Optional) Select the Disable User checkbox to terminate the user.
Choose OU - Choose OU, which you want to configure for an employee which is on long term leave. You can choose "Do not change OU" from the dropdown if you do not want to change an OU.
Handling of Groups Memberships¶
Retain ALL assigned groups - None of the existing group memberships will be removed.
Remove ALL assigned groups - All the existing group memberships will be removed.
Retain selected groups - The selected group memberships will be preserved when an employee is on long term leave, rest will be removed.
Remove selected groups - The selected group memberships will be removed when an employee is on leave, rest will be preserved as it is.
In a multi-domain controller setup, when selecting the 'Retain selected groups' and 'Remove selected groups' option under 'Handling groups memberships', you can select Groups for any of the base DNs in your AD.
Exclude Employee Attribute - If you want any data that should not be updated, then you can check those attributes from the multi-select checklist when you leave an employee.