Introduction

When people leave the organization, you typically want to take away their access. Most the time this happens by disabling the user's accounts. This helps with cases where people are coming back or where people are terminated by mistake (I've come across all kinds of things). But you cannot disable accounts for everything. What about the Payroll application that allows the left employee to download their pay slips, what about the benefits application, etc? For those, you want to keep the accounts active. You may want to remove entitlements for others or even trigger an access review so the manager can make a decision.

In the next section, I will walk you through how you can configure applications in RSA Via L&G for the termination behavior. Key here is that you won't have to change your rules/policies in L&G when you on-board new applications. You simply tell the application what termination behavior you want to use for it.

Configuration Steps

This section will discuss necessary configuration steps. Perform all steps as an administrative user with appropriate permissions.

Attribute Value List

We want to start defining all possible termination behaviors that applications can have. As AveksaAdmin, go to Admin --> Attributes --> Custom Values. Create a custom value list and name it for example "Termination Behavior". Add values as needed, for example:

• Disable accounts
• Review access
• Revoke access
• No changes

Custom Attribute

Next, we want to create a custom attribute for our business sources that tie the termination behavior to them. Go to Admin --> Attributes --> Business Source. Click on "Edit", add a new managed string-type attribute, make it editable and link it to the "Termination Behavior" value list that we just created.

Application Configuration

Now that the custom attribute exist, we can configure all our directories and applications for the termination behavior. For this, go to Resources --> Directories and Resources --> Applications, select each directory/application. Click on "Edit" on the General tab and select the desired termination behavior.

Review Configuration

If one of your termination behaviors is "Review access", you can configure a User Access review that contains only entitlements from the applications that were configured for a review.

Go to Reviews --> Definitions and click on "Create Review Definition".

Select review type "User Access Review" and click "Next". Name the review for example "Termination Review" and configure the review definition to be available for rule actions.

Configure page 3 as desired. On page 4, the content selection, filter each desired entitlement type as follows:

in Application with | Termination Behavior | = | Review access

The actual values may vary, depending on how you setup the previous steps.

Rules Configuration

The only thing missing is the configuration of the rules. Those are typically Attribute Change rules or Termination (Provisioning) rules. You would use the termination rule for account disabling and revocation of access. You would use the attribute change rule to trigger a review. The example I am describing here is a Termination rule.

Go to Rules --> Definitions and either create a new Termination rule or edit an existing one that you want to change. In the Actions section, you want to enable Disable Accounts and filter the accounts as follows:

has Business Source with | Termination Behavior | = | Disable accounts

Please note that your values may differ, depending on how you setup the previous steps.

Summary

Now you have setup a configuration that allows you to specify the termination behavior for each application (or other business sources). You won't have to touch your rules or review definitions when you on-board new applications. You just tell the application what the termination behavior should be.

You can have similar configuration for other use cases. Key is to leverage meta data for your actions.