Skip to content

Lifecycle Business Rules (ATS)

Lifecycle Business is an ATS model that defines the various stages in which a user progresses within an organization. Lifecycle Business Rules provides 3 stages in ATS:

  1. Onboard
  2. Profile Update
  3. Rescind

You can select the user lifecycle required for your business use cases. At the runtime, the workflow will only process user which match the selected stages.

Lifecycle Business Rules

Figure 1. Lifecycle Business Rules

Lifecycle Business Rules

Figure 2. Lifecycle Business Rules

Onboard

Create or reactivate users in the Identity Platform upon Onboard. Using this operation, you can create a user profile in the Identity Platform when a candidate is created in the ATS system.

Choose password format - You can select one of the formats for the password you intend to create for a newly onboarded user.

  1. Passphrase - Select the passphrase to align with your identity platform's password policy. The password will be randomly generated based on the specified length and will include lowercase letters , one uppercase letter and one numeric digit or one special character. If needed, you can opt to receive the password via email by mapping the Password attribute in the Communication Hub.

    Create user in AD

    Figure 3. Created users in AD

  2. A common password for ALL Employees - Select the "a common password for ALL Employees" format. It will provide the text area, which you can map from the HR Profile or put a user input value for the password. You can also put some conditions using the Excel function.

    Create user in AD

    Figure 4. Create user in AD

  3. Unique System-generated password - Select the initial password length to align with your identity platform's password policy. The password will be randomly generated based on the specified length and will include at least one lowercase letter, one uppercase letter, one numeric digit, and one special character. If needed, you can opt to receive the password via email by mapping the Password attribute in the Communication Hub.

    Create user in AD

    Figure 5. Create user in AD

Select User Account Control - You can select the user account control of the user from the dropdown that you want to assign to the user in the Identity Platform during the onboarding process. The user account control available in Hire2Retire are:

  1. 512 - Account Enabled: The user account is active and enabled.
  2. 66048 - Account Enabled, Password Never Expires: The user account is active and enabled, with the password set to never expire.

Create user in AD

Figure 6. Selecting User Account Control

Require user to change their password when they first sign in - This checkbox will prompt the user to change their password upon their initial login. It is selected by default. You can unselect it to not require the user to change their password.

Create user in AD

Figure 7. Selecting the checkbox to require a user to change the password on the first sign-in

Temporary Access Pass - This checkbox will only appear when using the Entra ID Identity Management system. It is used to generate a temporary password (TAP) when a user is created in the Azure portal.

  • The user can set the duration for which the TAP is valid, allowing the employee to log in once or multiple times within that time period.

  • To use this feature, the application must have the UserAuthenticationMethod.ReadWrite.All permission.

  • If a service provider connection is selected, the user must have the Authentication Administrator role.

For more details, how to add these permissions and roles please check this Entra ID.

Create user in AD

Figure 8. Temporary Access Pass

Create user in AD

Figure 9. Temporary Access Pass checkbox checked

Create the account in disabled state - Check this checkbox if you want to create the user in the disabled state in identity platform, created from the ATS flow.

Create user in AD

Figure 10. Create the account in disabled state

Automatic Termination - Select the aging period for automatic termination if the candidate does not start as a new hire.

Exclude Employee Attributes on Rehiring The selected attributes will not be consider when rehiring a candidate.

Exclude Employee Attributes on Rehiring

Figure 11. Exclude Employee Attributes on Rehiring

Note By default, an employee's password will be reset upon their rehire.

Profile Update

Update the user in the Identity Platform when the user's profile is updated in ATS system. Using this operation, you can update a user's profile in the Identity Platform when the user is updated in ATS system.

Whitelist (retain) some of the security groups and distribution lists

The handling of security groups and distribution lists will be done while updating a candidate profile according to the selection below.

Retain all groups NOT defined in group mapping automation - Groups which are added manually ( not with H2R ) to the user will be preserved, only the one mapped in group membership step will be added/removed according to the condition specified in that step.

Retain ALL existing groups - None of the existing group memberships will be removed and only new groups memberships will be added.

Do not retain any existing groups - All the existing group memberships will be removed and new groups memberships will be added.

Retain below selected groups - The selected group memberships will not be removed, rest will be removed along with the addition of new group memberships.

Handle group type specific membership

It allows user to define individual rules for each group, enabling more precise control over group membership handling. Instead of applying one common rule, user can configure specific retention logic per group type. This is especially useful during employee update, termination and leave lifecycles, where different groups may require different treatment. It ensures flexibility and better alignment with organizational policies.

When both common and group type–specific rules are configured, the group type–specific rule will take precedence over common whitelist group membership.

Change of Profile or Role in AD

Figure 12. Updating Group Specific Memberships during Change of Profile or Role in AD


Change of Profile or Role in AD

Figure 13. Updating Group Specific Memberships during Change of Profile or Role in AD with MDC

Exclude Employee Attributes on Updating

The selected attributes will not be consider when updating a candidate profile.

Profile Update in AD

Figure 14. Profile Update in AD

Rescind

Terminate the user in Identity Platform when the user is terminated in the ATS system. This operation allows you to terminate a user's account in Identity Platform when they are terminated in the ATS system.

Account Deletion for Non-Onboarded Candidates Select the checkbox, "By default, identity accounts will be disabled in the identity platform system when the candidate is unable to onboard. Check to delete accounts," to automatically delete the candidate's account when they are terminated from the identity platform.

Delete User Account

Figure 15. Delete User Account

Choose OU for terminated user - All terminated users will be moved to the selected user group. You can choose "Do not change OU" from the dropdown if you do not want to change an OU.

Terminate user in AD

Figure 16. Terminate user in AD

Selected attributes will be purged when rescind - All the selected Identity Platform attributes will be purged when rescind.

Terminate user in AD

Figure 17. Purge user's AD Attributes when Rescind

Set Description on termination - Users can choose to add description on employee's profile upon termination. This will be an optional field. With the lookup table (highlighted in red), you can set conditions based on attribute values. If the conditions are satisfied, the specified description will be applied. If not, the event will use the default description.

Set Description on Termination

Figure 18. Set Description on Termination

Handling of Group Memberships

The group memberships will be updated upon terminating an employee profile based on the below selection.

Remove ALL assigned groups - All the assigned group memberships will be removed.

Retain ALL assigned groups - None of the existing group memberships will be removed.

Remove Selected groups - The selected group memberships will be removed when a candidate is terminated, rest will be preserved.

Retain selected groups - The selected group memberships will be retained, rest will be removed.

Terminate user in AD

Figure 19. Handling the Group memberships on employee termination

Terminate user in AD

Figure 20. Terminate user in AD with Multi-Domain Controller

In a multi-domain controller setup, when selecting the 'Retain selected groups' or "Remove Selected groups" option under 'Handling of security group and distribution list memberships', you can select Security Groups and Distribution lists for any of the base DNs in your AD.


Terminate user in AD

Figure 21. Terminate user in AD with Multi-Domain Controller

Handle group type specific membership

It allows user to define individual rules for each group, enabling more precise control over group membership handling. Instead of applying one common rule, user can configure specific retention logic per group type. This is especially useful during employee update, termination and leave lifecycles, where different groups may require different treatment. It ensures flexibility and better alignment with organizational policies.

When both common and group type–specific rules are configured, the group type–specific rule will take precedence over common whitelist group membership.

Change of Profile or Role in AD

Figure 22. Updating Group Specific Memberships during Termination


Change of Profile or Role in AD

Figure 23. Updating Group Specific Memberships during Termination with MDC

Exclude Employee Attributes when Rescind - The workflow would update employee attributes when rescind if any attributes changed in the ATS platform. You can select not to change some attributes on termination.

Terminate user in AD

Figure 24. Terminate user in AD

Remove directly assigned Microsoft licenses - All directly assigned microsoft licenses will be unassigned from the user. If it is unchecked, we will not touch any directly assigned licenses.

To use this feature, the application must have the LicenseAssignment.ReadWrite.All permission.

For more details, how to add these permissions and roles please check Entra ID.

Note - By default, the manager attribute will be purged. Additionally, if the attribute ms-Exch-Hide-From-Address-Lists (msExchHideFromAddressLists) in Active Directory or showInAddressList in Azure AD is included in your attribute list, the user will be removed from the corresponding list.