Joiners, movers, leavers processes
Joiners, Movers and Leavers (JML) process is the way that the Identity system processes the journey the user has in a particular organization.
This means that there is a necessity to have rules or workflows which define what to do when a person joins (hired to the company), when an employee moves within the organization and such movement potentially will affect the level of access that they have (their job title changes, they move to a different department, a different location). Finally, there must be rules of regulating the case when somebody leaves the organization.
These rules may vary depending on the case. For example, one may have one set of rules for employees and another one for contractors. Also, the data about joiners may come from a different source, such as an HR system, and from a manager.
Hence, the variety of 'movement' within the organization creates a need for having a separate set of rules for each case.
Joiners
Joiners process is connected with the fact of a new employee or contractor being added to OpenIAM. The information about a new hire may come from different sources, such as an HR system, manager, self-registration etc. The new hires are detected after synchronization, and they are granted access depending on the business rules.
The diagram below provides an example of how the information captured above can be complemented.
Movers
Movers or position changes usually refer to changes in a job and can be identified through changes in title, job code, manager, or department - the attributes are not limited to those named since these are any changes in the position that may impact the access user has in the system. If a change in one or more of these attributes that are associated with position change occurs, then OpenIAM will start the position change workflows.
The overall position change process is shown the example below:
The movers and joiners workflow begin in the same way - with a synchronization script. However, after the data has been validated by a validation script and the transformation script has mapped the incoming changes to OpenIAM attributes, several options arise.
Option 1
One can define business rules through birthright access which defines the initial access a user should have. Based on that, the required policy map is processed, the access is granted or ended and the message bus sends a message to the connector. Afterwards, the access needed is created in OpenIAM and the connector receives the message for provisioning.
Option 2
A manager can request access in connection with position change. Here, after the scripts are done running, a manager receives a message about the need to review the user's access certification. Afterwards, the manager can request access needed for the user.
Option 3
One can also introduce a hybrid solution between Options 1 and 2. For instance, some access type can be granted automatically via business rules set. Other access type can be granted only by a request.
Leavers
Movers or terminations refer to users that leave the organization and need to have their access terminated.
The overall position change process is shown the example below:
Again, like the leavers process, there are several options for how access can be terminated. The specific thing about leavers process is that on the end date (last day of working) the user status in OpenIAM is set to Terminated. After that, a message is sent to any managed system where this user has an account, and access can be deleted in several ways:
- Access is deleted immediately.
- First, the account is disabled. If the target system is a directory, the user is then moved to a disabled user's OU and deleted from there after some time.
- One can choose a hybrid approach to deleting users, for instance, disable first and then delete, not moving the users to disabled users OU.
Here, an important thing to consider is that the rules used to guide JML processes need to be dictated by a business need, so one needs to adapt to how a company works and support their processes.
In further pages, you will find a tutorial for defining the JML process in OpenIAM.