About Person Status
Statuses represent various states in the identity lifecycle, and various statuses have specific meanings within Registry. Each Person Role has a status attached to it, and each Person has an overall status that is generally calculated as the "most preferred" of the attached Person Role statuses. Similarly, when External Identities are created from External Identity Sources, the External Identity Source may attach statuses to each External Identity Role, which are then used to calculate an overall External Identity status.
Status can be changed under various circumstances:
- As part of an Enrollment Flow.
- As part of a Pipeline sync from an External Identity Source.
- Due to an Expiration Policy.
- By updating Person Role validity dates.
- Manually. Note that manual changes will be overwritten when an automatic update would result in a different status, unless the Person is Locked or the Person Role is Frozen.
Person Role Status Calculation
In general, Person Role statuses are manually assigned, or assigned as a side effect of another process like Enrollment or Expiration. However, in certain cases the status will be recalculated to align with specified valid from or valid through dates.
- A Person Role with a valid from date in the future and a status of Active, Expired, or Grace Period will be given a status of Pending Activation, unless the Person Role is frozen. A Person Role in Pending Activation status with a valid from date in the past will be given a status of Active (AR-PersonRole-4).
- A Person Role with a valid through date in the past and a status of Active, Grace Period, or Pending Activation will be given a status of Expired, unless the Person Role is frozen. A Person Role in Expired status with a valid from date in the future will be given a status of Active (AR-PersonRole-5)
- If both valid from and valid through dates are provided for a Person Role, the valid from date must be earlier than the valid through date (AR-PersonRole-6).
Locking Person Status
In order to quickly disable the entire Person record, the Person status may be set to Locked. Doing so will disable the entire Person record, regardless of the underlying CO Person Role statuses (AR-PersonRole-7). The Person status can then only be reset by a CO or COU administrator. Enrollment Flows, Pipelines, and Expiration Policies are unable to reset a Locked status.
Locking a Person does not lock their Authenticators. Applications should check for Authorization information, which is deprovisioned when the record is Locked.
Person Roles cannot be set to Locked, since it is intended as a Person status only. Individual Roles may be set to Suspended, Expired, or Archived.
External Identity Status
External Identity Source backends may assign statuses to each asserted External Identity Source Role. These statuses are intended to reflect the status of the Role as known by the backend source.
Only a subset of statuses are available for External Identity use, in particular validity dates must be used to indicate External Identity Roles that are Pending Activation or Expired. The status field should be used to indicate the practical status of the Role, for example a status of Active combined with a valid from date of next month indicates that the Role will start next month.
The overall External Identity will be assigned the "most preferred" status of the available External Identity Role statuses.
The Person Roles created from the External Identity Roles via the associated Pipeline will be given the same status as the corresponding External Identity Roles. The exception is when the source deletes the External Identity Role, in which case the Person Role will be given the status as configured in the Pipeline.
The special External Identity Role status Deleted is used to indicate that the backend deleted the External Identity Role entirely. Backends cannot directly assert this status.
Status Preferences and Provisioning
Person Preference | External Identity Preference | Status | Description | Provisioning |
---|---|---|---|---|
0 | n/a | Locked | Person is locked | Person data and All Members Groups provisioned |
1 | 1 | Active | The Person or Role is active within in the organization | Person, Role, and Group data provisioned |
2 | 2 | Grace Period | The association with the organization has ended, but services have not yet been deprovisioned | Person, Role, and Group data provisioned |
3 | 3 | Suspended | The association with the organization has been temporarily suspended | Person data and All Members Groups provisioned |
4 | n/a | Expired | The Valid Through date has been reached | Person data and All Members Groups provisioned |
5 | n/a | Approved | The request for enrollment has been approved, but enrollment has not yet completed | No data provisioned |
6 | n/a | Pending Approval | The request for enrollment is pending approval | No data provisioned |
7 | n/a | Confirmed | The invitation for enrollment was confirmed, but enrollment has not yet completed | No data provisioned |
8 | n/a | Pending Confirmation | An invitation for enrollment was sent, but has not yet been confirmed | No data provisioned |
9 | n/a | Invited | An invitation was sent via default enrollment | No data provisioned |
10 | n/a | Pending Activation | The Valid From date has not yet been reached | No data provisioned |
11 | n/a | Pending | No data provisioned | |
12 | n/a | Denied | The request for enrollment was denied by the Approver | No data provisioned |
13 | n/a | Declined | The invitation for enrollment was declined by the Enrollee | No data provisioned |
14 | 4 | Archived | The record is not expected to be reactivated | No data provisioned |
n/a | 4 | Deleted | The record was removed from the backend | No data provisioned |
15 | 5 | Duplicate | The record is a duplicate of another | No data provisioned |
See Also
Changes From Earlier Versions
As of Registry v5.0.0
- Deleted status was renamed Archived.