Each CO Person Role has a status attached to it, and each CO Person has an overall status that is generally calculated as the "most preferred" of the attached CO Person Role statuses. Statuses represent various states in the identity lifecycle, and various statuses have specific meanings within COmanage.
Status can be changed under various circumstances:
The status of a CO Person is generally calculated from the status of the CO Person Roles attached. This happens automatically under the following conditions:
The CO Person status is set to the "most preferred" status of the attached CO Person Roles. "Most preferred" is currently defined as the order in the table, below. In general, active statuses are most preferred, followed by expired statuses (since there may have been skeletal records provisioned that need to be maintained), followed by invitation statuses.
CO Person and Person Role Records are passed to Provisioners based on their status, as indicated in the table, below.
This table is effective as of Registry v2.0.0. For earlier versions, see this page.
In Registry v2.x and v3.x, this table is only supported by certain provisioners (Ldap, Crowd, LdapServiceToken). (CO-1740)
As of Registry v4.0.0, the CO Person status may be set to Locked. Doing so will disable the entire Person record, regardless of the underlying CO Person Role statuses. The CO Person status can only be reset by a CO or COU administrator. Enrollment Flows, Pipelines, and Expiration Policies are unable to reset a Locked status.
Locking a Person does not lock their Authenticators. Applications should check for Authorization information, which is deprovisioned when the record is Locked.
CO Person Roles cannot be set to Locked, since it is intended as a Person status only. Individual Roles may be set to Suspended, Expired, or Deleted.
Preference | Status | Description | Provisioning |
---|---|---|---|
n/a | Locked | Person is locked | Person data and All Members Groups provisioned |
1 | Active | Person or Role is an active member in the CO | Person, Role, and Group data provisioned |
2 | GracePeriod | Primary association with the CO has ended, but services have not yet been deprovisioned | Person, Role, and Group data provisioned |
3 | Suspended | Association with the CO has been (manually) temporarily suspended | Person data and All Members Groups provisioned |
4 | Expired | Valid through date has been reached | Person data and All Members Groups provisioned |
5 | Approved | No data provisioned | |
6 | PendingApproval | The enrollment flow petition is pending approval | No data provisioned |
7 | Confirmed | No data provisioned | |
8 | PendingConfirmation | An invitation or email confirmation was sent via an enrollment flow | No data provisioned |
9 | Invited | An invitation was sent via default enrollment | No data provisioned |
10 | Pending | No data provisioned | |
11 | Denied | The enrollment flow petition was denied | No data provisioned |
12 | Declined | The invitation sent via default enrollment was declined | No data provisioned |
13 | Deleted | The record is not expected to be reactivated | No data provisioned |
14 | Duplicate | The record is a duplicate of another | No data provisioned |