Active users in Prehire status

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hello all,

I am curious on how others have gone about resolving this issue that my company has had for ages. I inherited my companies current SailPoint environment and I am still working on trying to make it better. We have come across a gap where users get their AD accounts created prior to their start date and they are able to login if they have their user information.

I would like to just create the account on their start date but this impacts our workstation support team as they assign the assets to their AD account. This would prevent these users from having their hardware available on their start date. I want almost like a staging group or a way to prevent them from accessing their account if they are outside of their working window. Before start date or after last day worked, both field provided by HR.

I would also need a way to bypass this as we have to white glove some individuals like C levels who may need access to things post termination, rare but does happen from time to time.

I need the accounts existing in AD however they need to be inexecrable. One thought was to use a transform to leverage the AD attribute - logonHours and null this out if outside of our working hours. The work around would be a first valid that could be maybe an AD group for the one off exceptions

If you’re willing to share how you have gone about resolving this kind of issue or any recommendations, I am all ears. Appreciate it!

2

On the pre-hire side, does your workstation support team need to login as the user to setup their hardware or are you using an automated process on first login?

  • If the workstation team needs to login as the user, the account will need to be accessible.
  • If the process is automated, the account could be disabled and only enabled on the first day.

You could also look at other controls - for example, if the user has to connect to a VPN to work, put the “pre-hire” account in an OU that is blocked from VPN. You could also limit the groups assigned to the bare minimum to setup the account and assign additional entitlements on day 1.

On the after termination, you also can set accountExpires or userWorkstations as additional controls but keep in mind these settings only apply to AD not Azure. Again you could block these users from VPN as well.

1 Like
3

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.