Lifecycle Business Rules
Lifecycle Business is an HR model that defines the various stages in which a worker progresses within an organization. Lifecycle Business Rules provides four stages:
- Hire, Rehire
- Change of Profile or Role
- Termination
- Leave:
- Long term leave
- FMLA (Family and Medical Leave Act)
- Legal
- Security and Discipline
You can select the Employee Lifecycle required for your business use cases. At the runtime, the workflow will only process employee who matches the selected stages.
Hire, Rehire¶
Create or reactivate users in the Identity Platform upon hire or rehire. Using this operation, you can create an Employee profile in the Identity Platform when an employee is created in the HR system.
Choose password format - You can select one of the formats for the password you intend to create for a newly onboarded user.
-
A common password for ALL Employees - Select the "a common password for ALL Employees" format. It will provide the text area in which you can map from the HR Profile or put a user input value for the password. You can also put some conditions using the Excel function.
Figure 3. Choosing a common password during Hiring or Rehiring user in AD -
Unique System-generated password - Select the initial password length to align with your identity platform's password policy. The password will be randomly generated based on the specified length and will include at least one lowercase letter, one uppercase letter, one numeric digit, and one special character. If needed, you can opt to receive the password via email by mapping the Password attribute in the Communication Hub.
Figure 4. Choosing system-generated password length during Hiring or Rehiring for users in AD
Select User Account Control - You can select the user account control of the user from the dropdown that you want to assign to the user in the Identity Platform during the onboarding process. The user account control available in Hire2Retire are:
- 512 - Account Enabled: The user account is active and enabled.
- 66048 - Account Enabled, Password Never Expires: The user account is active and enabled, with the password set to never expire.
Require user to change their password when they first sign in - This checkbox will prompt the user to change their password upon their initial login. It is selected by default. You can unselect it to not require the user to change their password.
Write back work email to HR system during new hire/rehire process
- This feature is compatible only with specific API-based HR systems. If enabled in your workflow, the Identity Platform will generate work email addresses for newly onboarded employees and record them in the "Business Email" field within the HR application.
For rehired employees, updating the work email in the HR system requires deselecting the "Primary Email" field from the non-updatable fields. By default, this field is non-updatable. Once deselected, you can update the email in the Identity Platform, and the new email address will be recorded in the "Business Email" field in the HR application.
Exclude Employee Attributes on Rehiring - The workflow would update employee attributes on rehiring if any attributes changed in the HR platform. You can select not to change some attributes during rehiring.
Handling of Group Membership : For Rehire, groups that are added manually ( not with H2R ) to the user will be preserved, only the one mapped in the group membership step will be added/removed according to the condition specified in that step.
Onboard & Hire¶
Select the time to execute Onboard and Hire - This field allows you to select when the Onboarding or Hire event should occur. You can use the lookup table (highlighted in red) to define scenarios based on specific attributes. If the conditions are met, the chosen timestamp will be applied. If not, the event will default to the pre-set timestamp.
Days in advance of start date to onboard employee - This field is used to enhance the onboard experience for the IT team. Select the number of days before the start date of the new hire that you would like Hire2Retire to create an account for them. If this number depends on details like 'Department' or 'Location,' you can use the lookup table icon to set different rules for different situations.
By default employee is created in disable state, uncheck to enable employee upon creation - This checkbox is visible when you select any number of days from the dropdown 'Days in advance of start date to onboard employee'. This checkbox ensures that the user is created in a disabled state during the onboard event. It is selected by default. You can unselect it to create the an user in enabled state.
Time in advance of start date time to enable the account
- This checkbox is visible when you select any number of days from the dropdown 'Days in advance of start date to onboard employee'. The checkbox (highlighted in blue) is used to select the time (4, 8, or 12 hours) before the start date time to enable the account.
Note By default, an employee's password will be reset upon their rehire.
Change of Profile or Role¶
Update the user in the Identity Platform when an employee is updated in HR system. Using this operation, you can update an Employee profile in the Identity Platform when an employee is updated in the HR system.
Handling of Group Memberships¶
The group memberships of the employee's profile will be updated with the Change of Profile or Role operation based on the below selection.
Retain all groups NOT defined in group mapping automation - Groups that are added manually (not with H2R) to the user will be preserved, only the one mapped in the group membership step will be added/removed according to the condition specified in that step.
Retain ALL existing groups - None of the existing group memberships will be removed and only new group memberships will be added.
Do not retain any existing groups - All the existing group memberships will be removed and new group memberships will be added.
Retain below selected groups - The selected group memberships will not be removed, rest will be removed along with the addition of new group memberships.
In a multi-domain controller setup, when selecting the 'Retain below selected groups' option under 'Handling of group memberships', you can select Groups for any of the base DNs in your AD.
Exclude Employee Attributes on Updating - The selected attributes will not be considered when updating an employee profile.
Write back work email to HR system when mail is updated
- Since this feature is compatible only with specific API-based HR systems, if this option is available and selected in your workflow, then Identity Platform will update the email and it will be reflected in the "Business email" field in HR application.
Note that the primary email field is set as non-updatable by default, However, you can deselect this field from "Exclude Employee Attribute(s) upon Updating" to update the email information in the Identity Platform.
Termination¶
Terminate the user in the Identity Platform when the employee is terminated in the HR system. Using this operation, you can terminate an Employee account in the Identity Platform when an employee is terminated in the HR system.
Choose OU for terminated user - All terminated users will be moved to the selected user group. By default, the "Do not change OU" option is selected which does not change the OU of the user upon termination.
Selected attributes will be purged on termination - All the selected Identity Platform attributes will be purged upon termination. The values of unselected attribute(s) will be preserved as it is.
Set Description on termination - Users can choose to add description on employee's profile upon termination. This is be an optional field. With the lookup table (highlighted in red), you can set conditions based on attribute values. If the conditions are satisfied, the specified description will be applied. If not, the event will use the default description.
Note: The set Description on Termination feature will not work if the user has selected the description attribute for purging or excluded the description attribute update on terminating.
And, if you have enabled 'Enable onboarding, future hires and scheduled terminations' on Application page then the options mentioned below will be provided in the design.
Scheduled Terminations¶
Employee termination time
- Choose a preferred time to schedule the termination record of the employee. In this, the termination event will take place at the scheduled time.
With the lookup table (highlighted in red), you can set conditions based on attribute values. If the conditions are satisfied, the specified timestamp will be applied. If not, the event will use the default timestamp.
Day(s) to terminate after the last day worked
- Select the number of day(s) by which you want to delay the offboarding of an employee after their termination date. By default, the none option is selected, you can modify it as per the requirements.
Using the lookup table (highlighted in red), you can set conditions based on attribute values. If the conditions are satisfied, the number of days specified will be applied. If not, the event will use the default number of days.
Support Immediate Termination - Based on the provided condition, the employee will be terminated effectively irrespective of the last day.
Handling of Group Memberships¶
The group memberships will be updated upon terminating an employee profile based on the below selection.
Remove ALL assigned groups - All the assigned group memberships will be removed.
Retain ALL assigned groups - None of the existing group memberships will be removed.
Remove selected groups - The selected group memberships will be removed, rest will be preserved as it is.
Retain selected groups - The selected group memberships will be preserved, rest will be removed.
Remove directly assigned Microsoft licenses - All directly assigned microsoft licenses will be unassigned from the user. If it is unchecked, we will not touch any directly assigned licenses.
Note: For Hybrid AD flows, the checkbox "Remove directly assigned Microsoft licenses" will only be visible when the 'Entra ID Security Groups' option is selected on the application page.
Give another user access to OneDrive - An employee's OneDrive can be shared with another user upon termination. For more information click here.
Convert user mailbox to shared mailbox - The mailbox of the employee will be converted a to shared mailbox upon termination. For more information click here.
In a multi-domain controller setup, when selecting the 'Retain selected groups' and 'Remove selected groups' option under 'Handling of group memberships', you can select Groups for any of the base DNs in your AD.
Delete account after the aging period
- The user account will be deleted from the Identity Platform after the specified aging period. Only the terminated employee account which matches the criteria will be deleted. If none of the criteria matches, then the default aging period will be selected.
Exclude Employee Attributes on Terminating - The workflow would update employee attributes on termination if any attributes changed in the HR platform. You can select not to change some attributes on termination.
Note - By default, the manager attribute will be purged. Additionally, if the attribute ms-Exch-Hide-From-Address-Lists (msExchHideFromAddressLists) in Active Directory or showInAddressList in Azure AD is included in your attribute list, the user will be removed from the corresponding list.
Leave¶
An organization can have multiple types of leave for their employees. Hire2Retire supports multiple type of leaves to choose from. Each type can be configured to specify employee access differently for different leave types based on the requirement.
- Long-Term Leave: Long-term leave refers to an extended period off from work, usually beyond a few weeks or months. It could be due to medical reasons, maternity/paternity leave, sabbaticals, or other personal reasons. It is the general type of leave and is currently supported in Hire2Retire
- FMLA (Family and Medical Leave Act): FMLA is a federal law in the United States that entitles eligible employees of covered employers to take unpaid, job-protected leave for specified family and medical reasons with continuation of group health insurance coverage under the same terms and conditions as if the employee had not taken leave.
- Legal Leave: Legal leave refers to a type of leave that is granted to an employee as required or protected by law. This could include leave for jury duty, military service, voting, or other legally mandated absences.
- Security and Disciplinary Leave: Security and Disciplinary leave is a type of leave that is imposed as a result of disciplinary action taken against an employee for misconduct or violation of company policies.
According to the leave types chosen, you can configure the below properties. You can configure one or many types of leaves according to the usage.
If you have selected an ATS System, then you will not be provided with the leave operation.
Disable User - (Optional) Select the Disable User checkbox to terminate the user.
Choose OU - Choose the OU which you want to configure for an employee who is on long-term leave. You can choose "Do not change OU" from the dropdown if you do not want to change an OU.
Handling of Group Memberships¶
Retain ALL assigned groups - None of the existing group memberships will be removed.
Remove ALL assigned groups - All the existing group memberships will be removed.
Retain selected groups - The selected group memberships will be preserved when an employee is on long-term leave, the rest will be removed.
Remove selected groups - The selected group memberships will be removed when an employee is on leave, the rest will be preserved as it is.
In a multi-domain controller setup, when selecting the 'Retain selected groups' and 'Remove selected groups' options under 'Handling groups memberships', you can select Groups for any of the base DNs in your AD.
Exclude Employee Attribute - If you want any data that should not be updated, then you can check those attributes from the multi-select checklist when you leave an employee.
