The Identity Management Server is responsible for associating the accounts and credentials with people and is responsible for enforcing the ownership of accounts so that any activity on the account can be traced back to a person.
Adoption and reconciliation processes
Adoption processes refer to the ability of the Identity Management Servers to look at every account and credential in a managed IT system and associate that account with a unique person. In these scenarios, the Identity Management Servers must relate the account or credential with the UID.
Given that the UID is an identifier devised by the IT organization, the managed IT systems may be unable to associate their user registries and accounts with the UID. In these cases, the Identity Management Servers may need to retrieve additional information about the person by querying the recently deleted entries list.
In cases where the adoption process cannot be automated, the Identity Management Servers must support a process to interact with IT system managers to query them about ownership of IDs that cannot be matched up with a UID. The IT system managers use their own out of band methods to determine the owners of the accounts.
Reconciliation processes refer to steps taken when an account is discovered on a managed IT system that cannot be associated with a person through the adoption process. Often these accounts are scheduled for deletion, sometimes pending approval and review by IT system managers so that there is no account or credential on the managed IT system that cannot be associated with a person.
Employee on/offboarding subscriber processes
When a subscriber receives an on/offboarding event from the On/Offboarding Service Bus, it must first log receipt of the event in the Offboarding Event Audit Server and then initiate a process for the on/offboarding event for each of the IT systems it manages. The steps in this process are highly dependent on the capabilities of the IT system.
For example, some systems have the ability to temporarily suspend an account without completely deleting the account. This may be an appropriate response to an Emergency Block request.
In other cases, it may be important to notify a manager of a pending account deletion so that entitlements for that account can be delegated to a different person before the account is deleted.
A detailed discussion about all of the possible process steps that should be followed when an on/offboarding event is received by the Identity Management Servers is beyond the scope of this guide. However, there are interactions with the other directory processes and compliance processes that should be noted.
First, by the time the subscribing Identity Management Server receives the employee offboarding event, the Master Directory has already removed that person's record and it has been moved to the Recently Deleted Entities Directory. The Identity Management Server processes may need to retrieve information about the employee in order to identify the accounts with which that person is associated. As a result, the Identity Management Server process may need to be able to make queries into the Recently Deleted Entities Directory to retrieve additional information about the employee.