User Lifecycle Management Process

User Lifecycle Management (ULM) is a key component of Identity Governance and Administration, focused on managing the entire lifecycle of user identities within an organization.

ULM includes various processes and stages, ranging from the initial onboarding of a user to their eventual off-boarding or de-provisioning. The primary objective of ULM is to ensure that both internal and external users have the appropriate access rights and permissions necessary for their roles within or in collaboration with an organization, all while minimizing security risks.

The user lifecycle typically consists of the following steps:

• Onboarding: This is the initial stage when a new user joins the organization. During onboarding, the Identity Governance and Administration (IGA) system creates a user identity, assigns necessary access rights and permissions based on the user's role and responsibilities, and sets up authentication credentials (e.g., usernames, passwords, or other authentication methods).
• Usage and Tracking: Tracking user activities and access is vital for detecting anomalies or security threats. IGA systems can monitor user behavior, generate logs, and provide insights into suspicious activities.
• User Updates Management: When users change roles, departments, or responsibilities within the organization, their access rights must be updated accordingly. This stage involves modifying user permissions to align with their new requirements while ensuring that unnecessary access is revoked.
• Offboarding: When a user leaves the organization or no longer requires access to specific resources, the offboarding process is initiated. This involves revoking access rights, disabling accounts, and ensuring that the departing user no longer poses a security risk. It is crucial to offboard users promptly to prevent unauthorized access.
• Archiving and Data Retention: In some cases, organizations may need to archive user data and maintain it for legal or compliance reasons even after a user has left the organization. This stage includes securely storing and managing archived user data.
• Reporting and Compliance: Throughout the user lifecycle, organizations must maintain records of access and actions taken for auditing and compliance purposes.

ULM helps organizations ensure security, compliance, and operational efficiency. With ULM, user access is aligned with business needs and security policies at all stages of the user's journey within the organization. Automated ULM can streamline many of these processes, making them more efficient and less prone to human errors.

Typical Challenges European Organizations Face with ULM:

• Delayed Offboarding: 90% of organizations report that offboarding takes several days, which increases security risks.
• Manual User Creation: User creation is often based on manual work or custom scripts in Active Directory, which do not support updates. This approach can lead to security risks and non-compliance with new EU regulations.
• Frequent User Updates: User updates, especially for temporary workers or departmental changes, must be made frequently. Manual methods are both costly and risky.
• Inconsistent Access Control: It is difficult to manage and enforce consistent access control policies across an organization's resources throughout the user's lifecycle.
• Manual Account Management: IT admins often manage user accounts manually, which increases costs and security risks.
• Inconsistency Identification: IT admins must manually identify inconsistencies between user information from HR systems and account information in customer directories. This task is difficult, costly, and often leads to unused or orphan accounts going unidentified.
• Access Rights Management for Long-Term Absences: Manual handling of access rights during long-term absences, such as maternity or sick leave, can lead to security issues if access is not properly disabled.

Efecte IGA provides use cases and capabilities that address the previously mentioned challenges:

Easy Onboarding: Onboarding can be easily managed via Efecte IGA Self-Service using the "Create New User" use case.
Alternatively, fully automated onboarding is possible when integration with HR systems is in place, leveraging the User Lifecycle Management use case.

Easy Updates: Updates can be managed through Efecte Self-Service using the "Update User Information" use case.
Fully automated updates are also available when integrated with HR systems, utilizing User Lifecycle Management use cases.
These updates may involve personal information, such as first or last name changes, where the IGA solution generates new directory attributes for the user. For employment information updates, such as title changes, the IGA solution validates and updates the directories and adjusts the user’s access rights (entitlements) if automated rules are in place.

Easy Offboarding: Offboarding can be handled via Efecte Self-Service using the "Update Departing User Information" use case.
Fully automated offboarding is also possible when integrated with HR systems, again using the User Lifecycle Management use case.

• Offboarding typically includes ending the user’s work period(s), deactivating related directory account(s), and revoking access rights. This process is initiated by setting the employment end date for the user’s work period.
  • If physical access is managed through the IGA solution, offboarding also includes the return of keys, badges, etc.
  • Offboarding can be extended with ITSM/ESM (Enterprise Service Management) use cases, such as the return of devices, work clothes, etc.

Work Period Management: Customers can define actions related to the information received by the IGA solution, including handling users with multiple active work periods.

Account Management: Defines what information is delivered and to which of the customer's directory/directories.

Automated Rules: The Efecte IGA solution allows admins to define automated rules based on information related to organizational units, cost centers, and job titles. The scope includes Attribute-Based Access Control (ABAC), Role-Based Access Control (RBAC), and Organization-Based Access Control (OrBAC).

Admin Reporting & Actions: IGA admin reporting and other necessary actions are detailed in the User Lifecycle Management use cases (refer to the chapter on Use Cases for IGA Admins). 

User's personal and employment information can be received from Self-Service (for example, for external users) or from the HR solution via a ready-made connector, Efecte Integration Service, or Open API integration.

The following figure illustrates the use cases specific to the ULM process in Efecte IGA. ULM builds on ARM use cases and capabilities, including reporting for ULM compliance needs.