Identity Lifecycle Events

The discrete state transitions in an identity's lifecycle that AE Guardian must detect and respond to. Each HR system models them slightly differently, but the core set is consistent:

- Hire — new employee starts; provision birthright access - Rehire — terminated employee returns; re-activate with prior access (or reset) - Transfer — employee moves to a new role / department / location; reconcile access (typically remove old + add new) - Promotion / Demotion — title and access change; usually access-additive but compensation-affecting - Leave — employee on extended leave; typically suspend access without termination - Return from Leave — re-activate access - Termination — employee departure; deprovision all access immediately, especially physical (badge deactivation at the PACS) before they leave the building - Title Change / Manager Change / Location Change — attribute changes that affect access via role-based policies

HR systems publish these events on different cadences — Workday and SAP HR support both full reconciliation and delta event streams; SailPoint (sail-point-rest) exposes them via polled query on identity events; PeopleSoft requires Component-Interface-based extraction.

Termination is the most operationally critical event — for security reasons, badge deactivation should happen within minutes of the HR system marking the employee as terminated. AE Guardian's polling interval on HR connectors is typically configured tightly (every 15-60 minutes) for this reason.