Job Role Change

How It Works

When a team member changes job roles, it is expected that there is an "end date" for the old role and a "start date" for the new role.

An administrator or user with elevated privileges will need to use the Job Role Change Wizard to review and remove access to their old role AuthGroup(s) and approvable relationships. This should be performed after the "end date" for their old role, or the last day that they should have access based on a transition period.

Access to the AuthGroup(s) and approvable relationships for their new role is available after the Okta metadata has been updated with their new job role meta data (ex. gl_job_family and gl_job_specialty) and the user signs in to Access Manager.

If there is a transition period, these dates can overlap and should be treated as the last date that the user can access SaaS Providers for their old role and the first day that the user can access SaaS Providers for their new role.

Expiration of the Old Job Role Access

Normally when a user access expires due to termination or resignation, the AuthUser expires_at value is set to their offboarding date, and all access expires after that "global" date.

When a user changes job roles, they will still need to retain access to some baseline entitlement systems, so specific job role related systems need to be deprovisioned.

An AuthUser will not automatically be deprovisioned from the old role AuthGroup(s) and related approvable relationships.

Job Role Change Wizard

The manual process for removing user access is to navigate to the AuthUser and review each of the approvable relationships that have been created. To help with efficiency, you should navigate to the AuthUser and use the Job Role Change wizard which provides an easy interface for selecting the old role AuthGroup(s) and reviewing the changes and performing bulk old role deprovisioning with a streamlined user experience.

Automated Changes to Job Role Meta Data in Auth Provider

When an AuthUser authenticates with Access Manager, their Auth Provider (ex. Okta) metadata is used to update their AuthUser metadata. When the change appears in Okta with changes from the HRIS on the effective date of their job role change, the AuthUser will be granted automatic access to the AuthGroup(s) for their new job role (ex. job family and job specialty).

See the profile mapping documentation to learn more.

An AuthUser will be able to access approvable relationships for the new job role after the effective date of their job role change and their Okta metadata is updated.

Manual Early Access to New Role AuthGroup

If an AuthUser needs early access to the SaaS Provider approvable relationships for their new job role, they can be administratively added to the AuthGroup(s) for the respective job role (ex. Job Family Entitlement - {Job Family Name} or Job Specialty Entitlement - {Job Family - Specialty Name}). On their effective date, the AuthProviderGroup will see that the AuthUser is already a member and will not take any action to add them to the group again.