IAM Design Principle: Lifecycle Events

Share this content:

I’ve really been trying to improve my skills at capturing and writing up requirements and one thing that helps is to list all the typical identity “lifecycle events”, along with:

  • How to detect the event, and
  • What to do when the event is detected.

So for each target system, I will have a table like the following. The “Lifecycle Events” I’ve listed I think are fairly universal. How you detect them (the “Trigger”), and what actions the IAM solution takes will, of course, be solution-specific. In some cases the IAM Solution’s action will be “none”, but that should still be documented.

Lifecycle Event Sub-stages Trigger (example) IAM Actions (example)
On-board Pre-start

Start Date

New person identity created in authoritative data source, with required minimum attributes. Pre-start:

  • Provision User Account
  • Provision account Artifacts (eg., mailbox, home folder)
  • Assign default access

Start Date:

  • Enable account
Name change First name, Preferred First Name or Surname change detected in authoratative data source.
  • Change name attributes
  • Generate new primary email address
Job change Job Title, Poisition Number or Business Unit changes detected in authoratative data source.
  • Change Job Title
  • Change Business Unit-based groups
Manager change Manager change detected in authoratative data source.
  • Change manager attribute.
Contact Details change Change to Address or Phone Number details in authoratative data source.
  • Change one or more of the following attributes based on the change in source data:
    • streetAddress
    • postalConde
    • country
    • telephoneNumber
    • ….
  • Change location-based distribution list.
Suspension Length of time between LeaveStartDate and LeaveEndDate is greater than 90 days

OR Suspended status is True.

  • Disable user account
  • Add notes “Disabled by IAM on <date>”
Reactivation LeaveEndDate has passed

AND Suspended status is False

AND account currently disabled

  • Enable user account
  • Add notes “Enabled by IAM on <date>”
Off-board Deactivation


Termination Date from authoratative data source has passed. At the end of the termination day:

  • Disable user account,
  • Moved to “Disabled Users” OU,
  • Add notes “Disabled by IAM on <date>”

90 days after termination day:

  • Remove all group memberships,
  • Archive mailbox,
  • Archive home folder.
Re-hire/Return Before Archive

After Archive

Existing person with an existing disabled user account has a passed start date, and a future or no termination date. Before Archive:

  • Enable account,
  • Add any default groups based on new position (if applicable).

After Archive (in addition):

  • Create new mailbox,
  • Create new home folder.
No Show Start date = Termination date. Disable and Archive account.


I will be adding to this series regularly. Check back weekly to ensure you don’t miss any new posts!

Also, I would love to hear your thoughts on the topic, so please share them in a comment.

Carol Wapshere

I’ve been working in the IT industry for rather a lot of years now, starting in sys admin then moving through project work and consultancy, eventually coming across MIIS 2003 in 2005 while working on an email migration project in London. After a few years in Switzerland I am now back in Australia, based in Canberra, working for UNIFY Solutions. I have been awarded the MVP for ILM/FIM every year since 2009.

Leave a Reply

Your email address will not be published. Required fields are marked *