Lifecycle Business Rules (Onboarding)
Lifecycle Business is an Onboarding model that defines the various stages in which a user progresses within an organization. Lifecycle Business Rules provides 2 stages in Onboarding:
- Hire, Rehire
- Change of Profile or Role
You can select the user lifecycle required for your business use cases. At the runtime, the workflow will only process user which match the selected stages.
Hire, Rehire¶
Create or reactivate users in the Identity Platform upon hire or rehire. Using this operation, you can create an Employee profile in the Identity Platform when an employee is created in the Onboarding system.
Choose password format - You can select one of the formats for the password you intend to create for a newly onboarded user.
-
A common password for ALL Employees - Select the "a common password for ALL Employees" format. It will provide the text area in which you can map from the Onboarding Profile or put a user input value for the password. You can also put some conditions using the Excel function.
Figure 3. Choosing a common password during Hiring or Rehiring user in AD -
Unique System-generated password - Select the initial password length to align with your identity platform's password policy. The password will be randomly generated based on the specified length and will include at least one lowercase letter, one uppercase letter, one numeric digit, and one special character. If needed, you can opt to receive the password via email by mapping the Password attribute in the Communication Hub.
Figure 4. Choosing system-generated password length during Hiring or Rehiring for users in AD
Select User Account Control - You can select the user account control of the user from the dropdown that you want to assign to the user in the Identity Platform during the onboarding process. The user account control available in Hire2Retire are:
- 512 - Account Enabled: The user account is active and enabled.
- 66048 - Account Enabled, Password Never Expires: The user account is active and enabled, with the password set to never expire.
Require user to change their password when they first sign in - This checkbox will prompt the user to change their password upon their initial login. It is selected by default. You can unselect it to not require the user to change their password.
Temporary Access Pass - This checkbox will only appear when using the Entra ID Identity Management system. It is used to generate a temporary password (TAP) when a user is created in the Azure portal.
-
The user can set the duration for which the TAP is valid, allowing the employee to log in once or multiple times within that time period.
-
To use this feature, the application must have the UserAuthenticationMethod.ReadWrite.All permission.
-
If a service provider connection is selected, the user must have the Authentication Administrator role.
For more details, how to add these permissions and roles please check this Entra ID.
Exclude Employee Attributes on Rehiring - The workflow would update employee attributes on rehiring if any attributes changed in the Onboarding platform. You can select not to change some attributes during rehiring.
Handling of Group Membership : For Rehire, groups that are added manually ( not with H2R ) to the user will be preserved, only the one mapped in the group membership step will be added/removed according to the condition specified in that step.
Onboard & Hire¶
Select the time to execute Onboard and Hire - This field allows you to select when the Onboarding or Hire event should occur. You can use the lookup table (highlighted in red) to define scenarios based on specific attributes. If the conditions are met, the chosen timestamp will be applied. If not, the event will default to the pre-set timestamp.
Days in advance of start date to onboard employee - This field is used to enhance the onboard experience for the IT team. Select the number of days before the start date of the new hire that you would like Hire2Retire to create an account for them. If this number depends on details like 'Department' or 'Location,' you can use the lookup table icon to set different rules for different situations.
By default employee is created in disable state, uncheck to enable employee upon creation - This checkbox is visible when you select any number of days from the dropdown 'Days in advance of start date to onboard employee'. This checkbox ensures that the user is created in a disabled state during the onboard event. It is selected by default. You can unselect it to create the an user in enabled state.
Time in advance of start date time to enable the account
- This checkbox is visible when you select any number of days from the dropdown 'Days in advance of start date to onboard employee'. The checkbox (highlighted in blue) is used to select the time (4, 8, or 12 hours) before the start date time to enable the account.
Note By default, an employee's password will be reset upon their rehire.
Change of Profile or Role¶
Update the user in the Identity Platform when the user's profile is updated in Onboarding system. Using this operation, you can update a user's profile in the Identity Platform when the user is updated in Onboarding system.
Whitelist (retain) some of the security groups and distribution lists¶
The handling of security groups and distribution lists will be done while updating a candidate profile according to the selection below.
Retain all groups NOT defined in group mapping automation - Groups which are added manually ( not with H2R ) to the user will be preserved, only the one mapped in group membership step will be added/removed according to the condition specified in that step.
Retain ALL existing groups - None of the existing group memberships will be removed and only new groups memberships will be added.
Do not retain any existing groups - All the existing group memberships will be removed and new groups memberships will be added.
Retain below selected groups - The selected group memberships will not be removed, rest will be removed along with the addition of new group memberships.
Exclude Employee Attributes on Updating¶
The selected attributes will not be consider when updating a candidate profile.
