About Status
Each CO Person Role has a status attached to it, and each CO Person has an overall status that is generally calculated as the "most preferred" of the attached CO Person Role statuses. Statuses represent various states in the identity lifecycle, and various statuses have specific meanings within COmanage.
...
- As part of Enrollment or Invitation.
- As part of an Organizational Identity Source and Pipeline sync.
- Due to an Expiration Policy.
- By updating CO Person Role validity dates.
- If a Role is in Pending status and the Valid From date is updated to be in the past, the Role will automatically change to Active status.
- If a Role is in Active status and the Valid From date is updated to be in the future, the Role will automatically change to Pending status.
- If a Role is in Expired status and the Valid Through date is updated to be in the future, the Role will automatically change to Active status.
- If a Role is in Active or Grace Period status and the Valid Through date is updated to be in the past, the Role will automatically change to Expired status.
- Manually. Note that manual changes will be overwritten when an automatic update would result in a different status.
CO Person Status Recalculation
The status of a CO Person is generally calculated from the status of the CO Person Roles attached. This happens automatically under the following conditions:
...
The CO Person status is set to the "most preferred" status of the attached CO Person Roles. "Most preferred" is currently defined as the order in the table, below. In general, active statuses are most preferred, followed by invitation statuses, and then expired expired statuses (since there may have been skeletal records provisioned that need to be maintained), followed by invitation statuses.
CO Person and Person Role Records are passed to Provisioners based on their status, as indicated in the table, below.
This table is effective as of Registry v2.0.0. For earlier versions, see this page.
In Registry v2.x and v3.x, this table is only supported by certain provisioners (Ldap, Crowd, LdapServiceToken). (CO-1740)
Locking CO Person Status
As of Registry v4.0.0, the CO Person status may be set to Locked. Doing so will disable the entire Person record, regardless of the underlying CO Person Role statuses. The CO Person status can only be reset by a CO or COU administrator. Enrollment Flows, Pipelines, and Expiration Policies are unable to reset a Locked status.
Locking a Person does not lock their Authenticators. Applications should check for Authorization information, which is deprovisioned when the record is Locked.
CO Person Roles cannot be set to Locked, since it is intended as a Person status only. Individual Roles may be set to Suspended, Expired, or Deleted.
Status Preferences and Provisioning
| Preference | Status | Description | Provisioning |
|---|
| n/a | Locked | Person is locked | Person data and All Members Groups provisioned |
| 1 | Active | Person or Role is an active member in the CO | Person, Role, and Group data provisioned |
| 2 | GracePeriod | Primary association with the CO has ended, but services have not yet been deprovisioned | Person, Role, and Group data provisioned |
| 3 |
Approved | | | Suspended | Association with the CO has been (manually) temporarily suspended | Person data and All Members Groups provisioned |
| 4 | Expired | Valid through date has been reached | Person data and All Members Groups provisioned |
| 5 | Approved |
| No data provisioned |
4| 6 | PendingApproval | The enrollment flow petition is pending approval | No data provisioned |
5 6| 8 | PendingConfirmation | An invitation or email confirmation was sent via an enrollment flow | No data provisioned |
7| 9 | Invited | An invitation was sent via default enrollment | No data provisioned |
8 data provisioned9 | Suspended | Association with the CO has been (manually) temporarily suspended | Person | 10 | Expired | Valid through date has been reached | Person data provisioned |
| 11 | Denied | The enrollment flow petition was denied | No data provisioned |
| 12 | Declined | The invitation sent via default enrollment was declined | No data provisioned |
| 13 | Deleted |
|
| No data provisioned |
| 14 | Duplicate | The record is a duplicate of another | No data provisioned |