Scenario Background #1:

An existing employee's job has ended normally (not an immediate termination).

Scenario Narrative:

  1. Job information is updated in the institution's HR system. The employee's job is given an end date (** should the architecture consider support for future end-dating of affiliations? **)
  2. An institutionally defined process invokes Person Registration and Update either via REST API call (synchronous method) or by placing a Person Update message in the Person Update queue (asynchronous method). The payload of this message contains the end-date job as well as the source system identifier for the employee.
  3. Person Registration will invoke Person Search service to find the proper person for this update, based on the source system identifier supplied.
  4. Person Registration will update the job information in the Master Person Store.
  5. Person Registration will invoke Group Update through a REST API (synchronous method) or by placing a Person Update message in the Person Update queue (asynchronous method).
  6. Groups Service will evaluate dynamic group memberships for the employee, removing them from groups relating to the former job.
  7. Groups Service will invoke Provisioning Service via REST API (synchronous method) or by placing a Group Update message in the Group Update queue (asynchronous method).
  8. Provisioning Service will dynamically deprovision services relating to the former job

Scenario Background #2:

An existing employee's job has ended and there is a need to revoke access immediately.

Scenario Narrative:

  1. An authorized person (IT Security or HR Officer) puts the employee into a 'Suspend Immediate' group in the Groups Service.
  2. The Groups Service invokes the Provisioning Service via a REST API.
  3. The Provisioning Service evaluates the employee's group memberships and finds a membership in the 'Suspend Immediate' group. The Provisioning Service suspends all accounts and access, and prevents the employee from requesting additional services or using account recovery tools to reset an account.
  4. Job information is updated in the institution's HR system and deprovisioning happens as with a normal job ending.