X hits on this document





14 / 28


In both types of HR processes, a common set of information needs to be conveyed to the Directory Processes to trigger the offboarding:

  • The UID of the individual whose relationship with the organization is being terminated.

  • In some cases, the type of termination process may also be communicated, in this case, either Normal Termination of Employment or Emergency Block.

  • A Unit of Work or Transaction Identifier is an identifier that can be used to trace the source of the termination trigger back to a specific transaction authorized by a specific person.

Given the diversity of trusted sources of personnel information that are likely to exist in an organization, it is almost certain that the HR systems will not have a common format for representing these offboarding event triggers, so a common format will need to be designed to represent these triggers.

Given that directories almost always follow LDAP protocols, one common format used for these events is the LDAP Data Interchange Format (LDIF).You could also consider using one of the industry standards: Directory Service Markup Language (DSML) or the Service Provisioning Markup Language (SPML).

These HR on/offboarding events are sent to a Directory Update Application. Because of the sensitive nature of these events, these events should be signed by the trusted source of personnel information and validated by the Directory Update application. Likewise, the transmission of these events should be encrypted to protect the confidentiality of this information.

To manage availability and resilience of these events and to ensure that none of the events are lost, a loosely coupled delivery mechanism, such as a message queue or service bus, should be used.

The employee offboarding event triggers must also be stored in the offboarding event audit server for compliance tracking purposes.

Directory processes

The directory processes are usually managed by the IT organization and represent the aggregation of all HR personnel information from all trusted sources into a Master Directory and the ongoing management of that directory information.

The directory processes are also responsible for delivering employee offboarding events to internal and external subscribers.

Master Directory

The Master Directory aggregates all of the personnel information from the trusted sources of personnel information into a common directory indexed by the UID.

Note that while trusted sources of personnel information may have only one type of person/relationship in them (for example, employee, contractor, business partner, and so on), the Master Directory contains all types of people associated with the organization. As mentioned earlier, in this guide we use the term employee, but the processes apply to all individuals who have a relationship with the organization. The directory processes and the identity management processes apply to all types of people regardless of whether they are employees, contractors, or business partners. From an IT perspective, the only necessary representation of the person is the UID.

Using the IBM Security Blueprint to Address Business Risks for Employee Offboarding

Document info
Document views115
Page views116
Page last viewedFri Jan 20 12:26:57 UTC 2017