When a user’s employment status changes, the Identity Panel Suite automatically updates their system access to ensure security and compliance. This includes assigning default access roles for new employees and removing any conditional or exception-based access that no longer applies.
How Default Access is Assigned
The Access Panel component of Identity Panel manages access through policies based on user attributes, such as employment status. When a user is marked as a new hire or rehire in the authoritative HR system, the system automatically applies “default roles” based on that status. These roles might include access to email, collaboration tools, or line-of-business systems commonly used in onboarding.
This automation is driven by criteria policies and just-in-time (JIT) access policies:
-
Criteria policies define inclusion rules, such as "if user status = Active," and assign entitlements accordingly.
-
JIT policies dynamically assign access at the time it's needed, often for contractors or temporary staff.
These policies ensure new users have the right access without needing manual intervention.
How Conditional and Exception-Based Access is Removed
As part of the same automated process, the system also removes previously granted access that is no longer valid. This includes:
-
Temporary access granted for a project
-
Exception roles manually assigned outside of standard policies
-
Roles linked to prior job functions or business units
When a user’s status changes—such as transitioning from “Active” to “Terminated” or “On Leave”—these conditional entitlements are evaluated and revoked based on policy rules.
This behavior supports the Joiner-Mover-Leaver identity lifecycle, ensuring that the system always reflects the user's current role and status.
Comments
0 comments
Article is closed for comments.