PingOne Advanced Identity Cloud

Manage user lifecycle management

User lifecycle management (user LCM) allows authorized end users to create, update, delete, and view user information. User LCM enforces policies by requiring approval workflows before authorized end users can apply any user changes.

User LCM Permissions

By default, governance administrators, manager, direct report, and end users have the following permissions:

Action Admin Manager End user

View user

Yes

Yes

If scoped

View users access

Yes

Yes

If scoped

Create user

Yes

If scoped

If scoped

Modify user

Yes

If scoped

If scoped

Delete user

Yes

If scoped

If scoped

Enable user LCM

Governance administrators must enable user LCM to activate the feature in the hosted account pages.

  1. In the Advanced Identity Cloud admin console, go to Governance > Requests.

  2. On the Requests page, click the Settings tab.

  3. In the Governance LCM section, click Activate.

  4. In the Governance LCM modal, read what activating this feature entails, and click Next.

    Governance LCM modal

  5. In the Governance LCM modal, click User LCM, and then click Activate.

    Enable Users LCM on the Requests page.

    User LCM is now enabled.

Configure authorization using scopes

Scope permissions grant a specific subset of permissions for user LCM.

Permissions for user LCM are as follows:

Permission Description

Create User

Allows the end user to create new users in the system.

This global permission overrides a scope’s target conditions. For example, even if a scope is set to target only contractor users, a person with this permission can create any type of user, not just contractors.

Modify User

Allows the end user to modify the users matching the filter.

Delete User

Allows the end user to delete the users matching the filter.

View Grants

Allows the user to view the access of the matching users, for example, applications, entitlements, and roles.

Add scopes and assign to users

  1. Sign on to the Advanced Identity Cloud admin console as a tenant administrator.

  2. Go to Governance > Scopes.

  3. Click add New Scopes.

  4. On the New Scope page, enter the following in the Details section:

    1. Name: Enter the name for the scope.

    2. Description: Enter a description for the scope.

    3. Click Next.

      Scope details page displaying name and description

  5. On the Applies to page, define which users should be subject to this scope.

    1. Select if the All or Any condition must be met.

    2. Select a property for this scoping rule. For example, select userName.

    3. Select an operator for the scoping rule. For example, select contains.

    4. If you want to add another rule, click add and repeat the steps.

    5. Click Next.

      Scope `applies to` page defining the user to which the scope applies.

  6. If you are granting user permissions, configure the following on the Access page:

    1. Select the Users checkbox.

    2. Select if All or Any condition must be met.

    3. Select a property for this scoping rule. For example, select accountStatus.

    4. Select an operator for the scoping rule. For example, select is.

    5. Enter a condition. For example, enter active.

    6. If you want to add another rule, click add and repeat the steps.

    7. Select the permissions available to the scope:

      • Create Users: Permission to create a new user.

      • Modify User: Permission to modify a user.

      • Delete User: Permission to delete a user.

      • View Grants: Permission to view the access for the users matching the scope filter.

    8. Click Save.

      Scope access matching the conditions.

Create an internal role

Administrators must create an internal role so that authorized end users can view the Users identity object.

  1. Sign on to the Advanced Identity Cloud admin console as a tenant administrator.

  2. Go to Identities > Manage.

  3. Click Internal Roles > add New Internal Role.

    1. In the New Internal Role modal, enter the following and click Next.

      • Name: Enter a name for the internal role, such as UserLCMTest.

      • Description: Enter a description for the internal role.

        Creating a new internal role

    2. In the Internal role Permissions modal, select Alpha realm - Users managed/alpha_user, and click add Add.

      1. Click the internal role permissions you want available with the role:

        • View

        • Create

        • Update

        • Delete

      2. Click Show advanced. Select Read/Write for the attribute permissions and click Next:

        • userName

        • givenName

        • cn

        • sn

        • mail

          Internal role permissions

      3. In the Dynamic Internal role Assignment modal, click Next.

      4. In the Time Constraint modal, click Save.

  4. In the UserLCMTest page, click add Add Members.

    1. In the Add Members modal, select the users to which the internal role applies, and then click Save.

Configure the user create form

Create a form for the end users to use during the user create process.

  1. In the Advanced Identity Cloud admin console, go to Governance > Forms.

  2. Click add New Form.

  3. In the New Form modal, select LCM form.

    Select LCM form on the New Form modal

  4. In the LCM form modal, configure the following:

    • Form Name: Enter a form name.

    • Description (optional): Enter a general description of the form.

    • Identity Profile: Select User.

    • Use this form for request creation: Click this option to use with LCM operations.

    • Operation: Associate the form to the LCM operation. Select Create.

  5. Click Save.

    LCM form details

  6. In the Create New User form editor, drag and drop the fields you want to include on the form and then click Save.

    User create form

  7. (Optional) Repeat the process to create forms for Modify User and Delete User, which appear in place of the default forms.

Configure user lifecycle workflows

Identity Governance provides the out-of-the-box request types and workflows to enable authorized users to carry out user LCM tasks. You can customize these workflows by creating copies of the workflow.

Request Type Workflow

Create User

Create User

Modify User

Modify User

Delete User

Delete user

Configure workflows for user LCM

  1. In the Advanced Identity Cloud admin console, go to Governance > Workflows.

  2. Click ellipsis (more_horiz) next to Create User and click Duplicate.

  3. In the Workflow Details modal, enter a name for the workflow, and click Save.

  4. In the Workflow Editor, click the Approval node.

  5. In the right pane, click add approvers manually and click add to add approvers.

  6. In the Edit Approver modal, configure the following:

    • Approver Type: Select User.

    • User: Select a user.

    • Permissions: Select the permissions available to the approver.

      • Approver

      • Reject

      • Forward

      • Modify

      • Comment

  7. Click Add.

    Edit approver page in the Create User workflow

  8. Click Save to apply your changes to the workflow.

  9. When you are ready to use your workflow, click Publish.

  10. Repeat the process to set the approver for the Modify User and Delete User workflows.

Create a new user

  1. In the Advanced Identity Cloud end-user UI, sign on as your test user who has application permissions.

  2. Go to Administer > Users.

  3. On the Users page, click add New User.

  4. In the New user modal, fill out the form for the new user.

  5. Click Submit.

    A change request is entered in the system and must be approved by the user specified in the workflow.

Modify a user

  1. In the Advanced Identity Cloud end-user UI, sign on as your test user who has application permissions.

  2. Go to Administer > Users.

  3. Click more_horiz > Edit to edit a user.

  4. Modify any field in the Profile page and click Save.

    A change request is entered in the system and must be approved by the user specified in the workflow.

Delete a user

  1. In the Advanced Identity Cloud end-user UI, sign on as your test user who has application permissions.

  2. Go to Administer > Users.

  3. Click more_horiz > Delete to remove a user.

  4. In the Delete User? modal, click Submit if you’re certain you want to delete the user.

    A change request is entered in the system and must be approved by the user specified in the workflow.