About Status

Each CO Person Role has a status attached to it, and each CO Person has an overall status that is generally calculated as the "most preferred" of the attached CO Person Role statuses. Statuses represent various states in the identity lifecycle, and various statuses have specific meanings within COmanage.

Status can be changed under various circumstances:

CO Person Status Recalculation

The status of a CO Person is generally calculated from the status of the CO Person Roles attached. This happens automatically under the following conditions:

The CO Person status is set to the "most preferred" status of the attached CO Person Roles. "Most preferred" is currently defined as the order in the table, below. In general, active statuses are most preferred, followed by expired statuses (since there may have been skeletal records provisioned that need to be maintained), followed by invitation statuses.

CO Person and Person Role Records are passed to Provisioners based on their status, as indicated in the table, below.

(info) This table is effective as of Registry v2.0.0. For earlier versions, see this page.

(warning) In Registry v2.x and v3.x, this table is only supported by certain provisioners (Ldap, Crowd, LdapServiceToken). (CO-1740)

Locking CO Person Status

As of Registry v4.0.0, the CO Person status may be set to Locked. Doing so will disable the entire Person record, regardless of the underlying CO Person Role statuses. The CO Person status can only be reset by a CO or COU administrator. Enrollment Flows, Pipelines, and Expiration Policies are unable to reset a Locked status.

(info) Locking a Person does not lock their Authenticators. Applications should check for Authorization information, which is deprovisioned when the record is Locked.

CO Person Roles cannot be set to Locked, since it is intended as a Person status only. Individual Roles may be set to SuspendedExpired, or Deleted.

Status Preferences and Provisioning

PreferenceStatusDescriptionProvisioning
n/aLockedPerson is lockedPerson data and All Members Groups provisioned
1ActivePerson or Role is an active member in the COPerson, Role, and Group data provisioned
2GracePeriodPrimary association with the CO has ended, but services have not yet been deprovisionedPerson, Role, and Group data provisioned
3SuspendedAssociation with the CO has been (manually) temporarily suspendedPerson data and All Members Groups provisioned
4ExpiredValid through date has been reachedPerson data and All Members Groups provisioned
5Approved
No data provisioned
6PendingApprovalThe enrollment flow petition is pending approvalNo data provisioned
7Confirmed
No data provisioned
8PendingConfirmationAn invitation or email confirmation was sent via an enrollment flowNo data provisioned
9InvitedAn invitation was sent via default enrollmentNo data provisioned
10Pending
No data provisioned
11DeniedThe enrollment flow petition was deniedNo data provisioned
12DeclinedThe invitation sent via default enrollment was declinedNo data provisioned
13DeletedThe record is not expected to be reactivatedNo data provisioned
14DuplicateThe record is a duplicate of anotherNo data provisioned