Terminated worker getting re-hired with new workday account

Hello,
I am currently looking for a possible workaround here. We have a user who was a contractor and now is going to be a full time employee at our company. He currently has two workday accounts and unique workday IDs. His contractor workday id is EX1234 and FTE workday id is 4567 (not actual workday ids).

Currently, one identity cube is showing but two workday accounts, one is active and other is disabled.

We have lifecycle management provisioning implemented where sailpoint reads the user’s worker status from workday and, when terminated, disables the active directory domain account and removes all the Sailpoint roles tied to the user.

The user’s contractor workday account was terminated, and the end date was Sep 15th, and the FTE account start date was Sep 16th.

Sailpoint went ahead and disabled his current active directory account. Then IT had to re-enable the account this morning so he can work while we figure out a solution

What can we do to best mitigate this issue?

I don’t know if creating multiple identity profiles under Workday is going to resolve this issue.

I would like to make sure that the user is not getting impacted and avoid downtimes.

@salam1,

In Workday, is it intended that the contractor record was not updated to the FTE record? Most companies want to have one record in Workday that shows the individual’s history with the company. If it was an HR error that the user was not merged correctly, the best solution is to push HR to fix the record.

If it was intentional that the company does not want to have contractors and employees with the same workday ids, do you have any data to match these individuals together? Things that come to mind are personal email address and birthdate (Name will not be enough by itself as you can have many John Smiths.)

1 Like

Potentially you could create 2 workday sources and profiles. One for staff and one for contractors. Set the identity profile for staff above that of the contractors.
This will only work for contractors to perm, and not the other way round

Hello,
The user has only one identity in sailpoint. It was intentional that the company does not want to have contractors and employees share the same workday ids. They match by email address, name, and many more. They should carry over the same attributes except the workday id.

I will look into this option as well. Thank you.

I was not seeing any filters for staff vs contractors in the workday source configuration.

We had the exact same problem with contractors going to perm.
SuccessFactors couldn’t cope with it and HR had to create them as a new identity every time. Lots of manual rework each month.
We never managed to get an automated resolution

1 Like

@salam1

If you can find unique values in your incoming data (maybe the fact that your contractors all have ids starting with EX), you might be able to use a source filter to separate the users into two groups. See this article:

IdentityNow Account Filtering during Account Aggregation - Compass (sailpoint.com)

For example, for your primary source, you may be able to use a filter that looks like

attributeName.startsWith("EX")

Replace the attributeName with the schema attribute that is incoming from Workday.

One note: Source filters indicate what to exclude. So on the primary source we are excluding the contractors.

Then you could divide the users into two Identity Profiles as @phil_awlings suggested.

1 Like