Rehire users
Bravura Identity has components that set default rules and thresholds for comparing identity attributes in requests to onboard new users with attributes of existing users, in order to compute a likelihood that the proposed new hire is, in fact, a returning user with an existing profile. Threshold values set by this component determine whether a given score merits a warning to the requester or should block an onboarding request, due to the high certainty that it is a returnee.
Use case
Organizations need to differentiate between new employees and employees that are being rehired. Employees that are being rehired should go through a different process that could enable their previous resources or, in certain circumstances some employees maybe flagged to not rehire.
Solution
Bravura Identity is configured to retain identity information for all users, even after deactivation. This means that user profiles are not deleted, but instead, deactivated. Identity attributes normally include name, date of birth and identifiers such as a driver’s license number or social security number. Moreover, when a user is deactivated, three termination-related attributes are populated: termination date, reason for deactivation and whether rehiring this user is allowed.
When processing onboarding requests, regardless of whether they originate in a system of record (such as HR) or a request form, Bravura Identity applies rules to score how closely the new identity matches any identities already known to the system. These rules work by matching different sets of attributes – for example, first name plus last name plus date of birth. How closely the new user matches an existing profile is used to compute a confidence score. If the confidence score is above one threshold, a warning is generated that the new hire may not actually be new. If the confidence score is above another, higher threshold, then the request is blocked, because there is sufficient certainty that the new user is, in fact, a returning old user.
When an onboarding request using a request form, closely matches an existing profile , the following actions can occur:
Users of Bravura Identity are either instructed to terminate the process, as the old user was flagged as do-not-rehire
Users are instructed to reactivate the old user profile.
When an onboarding request closely matches an existing profile from a Source of Records, the following actions can occur:
The request is blocked with rehire not permitted.
The request is permitted and a subsequent request is submitted for someone to review the potential conflict.
In no case should a new user profile be created for a returning old user.
im_corp_detect_automated_rehire and im_corp_detect_rehire
Purpose:
These scenario components enable the product to detect whether a newly onboarded user is in fact a returning user with an existing profile. This is done by comparing identity attributes in onboarding requests with attributes of existing users and determining the likelihood that the new user already has a profile in the system. In case of manual requests, the requester will get a warning on the request page when a potential rehire is detected. Automated requests encountering a potential rehire will be routed to a human implementer for fulfillment. The automated rehire detection component (im_corp_detect_automated_rehire) depends on im_corp_detect_rehire; the reverse is not true.
Configuration:
Both of these scenarios rely on configuration data located in the following external data store (extdb) tables:
hid_global_configuration: Adds configuration parameters for these scenarios under the "im_policy_detect_rehire" namespace to control things like detection threshold values, PDRs in scope for this feature or the attribute which flags whether the user is even allowed to be rehired.
im_policy_authorization: Adds an authorization rule to allow
idtrack(automation) requests to be auto-approved so they can be fulfilled immediately, without requiring additional authorization.im_policy_implementers, hid_policy_request_chain: Only relevant for automated requests, these tables contain rules for routing and assigning human implementers to onboarding requests when the system detects a potential rehire.
im_policy_detect_rehire: Contains the list of attributes to be used for rehire detection along with their individual scores used to compute the recipient’s "rehire likelihood" score.
Example: User flagged as a rehire
This example uses the Scenario.im_corp_detect_rehire scenario component that utilizes request forms in the way of PDRs. In this case, a user will be terminated urgently, setting the REHIRE-ALLOWED flag to false. The attempt to rehire will be prevented.
Requirements
This example assumes that:
Bravura Identity and Connector Pack are installed.
An Active Directory target is configured and is a source of profiles.
A HR target is configured as a Source of Records.
Configure the scenario
Log in to Bravura Identity as a superuser.
Install the
scenario.im_corp_detect_rehirescenario.This scenario component sets default rules and thresholds for comparing identity attributes in requests to onboard new users with attributes of existing users, in order to compute a likelihood that the proposed new hire is, in fact, a returning user with an existing profile.
Navigate to Manage external data store to verify the following tables are available. The tables are pre-configured, however, may require some customization for your environment:
hid_global_configuration to configure rehire parameters.
im_policy_detect_rehire to set rehire detection criteria.
Click Manage the system > Workflow > Pre-defined requests .
Customize PDRs as needed.
The following PDRs have been pre-configured for the termination scenario. You may want customize to your needs; for example, edit the access control or change the operations.
REHIRE Used to enable user accounts after they have been terminated. This pre-defined request is valid if the user is allowed to be rehired.
RESTORE-TERMINATED-USER Used to restore a user that was terminated.
Complete an urgent termination of a user using the URGENT-TERM PDR. The REHIRE-ALLOWED flag is is automatically set to false.
Attempt a rehire
Log in to Bravura Identity as a user.
Click Create a new user profile.
Select the Hire a contractor PDR.
Fill out the new user’s information with duplicate information that matches the terminated user.
Attempt to submit the request.
An error should appear stating that a rehire of an existing user is attempted and will be prevented.
Example: User flagged as a rehire on a SoR
This example uses the Scenario.im_corp_detect_automated_rehire scenario. In this use case a user is flagged as a rehire from a Source of Records.
Requirements
This example assumes that:
Bravura Identity and Connector Pack are installed.
An Active Directory target is configured and is a source of profiles.
A HR target is configured as a Source of Records.
Configure the scenario
Log in to Bravura Identity as superuser.
Install the
Scenario.im_corp_detect_automated_rehirescenario.This scenario component will detect rehires being submitted from the source of records and submit follow up requests for an implementer to review the new user being onboarded.
Click Manage external data store to verify the following tables are available. The tables are pre-configured, however, may require some customization for your environment:
hid_global_configuration to configure rehire parameters.
hid_policy_request_chain to submit a request to review new the hire.
im_policy_authorization to set authorization on the require detection request.
im_policy_detect_rehire to set rehire detection criteria.
im_policy_implementers to set implementers to review the potential rehire.
Customize PDRs as needed.
The following PDRs have been pre-configured for the termination scenario. You may want customize to your needs; for example, edit the access control or change the operations.
REHIRE Used to enable user accounts after they have been terminated. This pre-defined request is valid if the user is allowed to be rehired.
NEW-EMPLOYEE
Complete a scheduled termination of a user.
Attempt a rehire
Add an account in Source of Records (SoR) target.
Execute auto discovery.
A request is submitted and a child request is submitted for review.
Log in to Bravura Security Fabric as a request implementer.
HR systems are usually set as read only targets and require an implementer to complete tasks as opposed to a connector automatically completing the task.
Verify that there are pending requests open to implement.