This article covers four common offboarding scenarios using Connect to AD’s Enable Account field mapping.
When using conditional expressions, conditions are evaluated from top to bottom; therefore, their order is critical to ensure correct behavior. We recommend matching the examples provided as closely as possible.
Disable an account upon termination
Use case requirement: When an employee is terminated, ensure that their network account is disabled.
Solution: Disable the network account when the employee has been terminated in UKG.
How to do it: Use the UKG employee status code to disable accounts for terminated employees by using one of these expressions:
Option A:
Employment.EmployeeStatusCode == "A"Only enable active employees; disable all terminated and on leave employees.
Option B:
Employment.EmployeeStatusCode != "T"Enable all employees with an employee status code different from “T”
Option C:
Employment.EmployeeStatusCode.OneOf("A,L")Enable employees with an employee status code of "A" or "L", disable the rest.
Disable an account before termination
Use case requirement: Allow the HR team to disable a network account, even if they are not ready to process the termination in UKG.
Solution: Add support in UKG to indicate that a network account should be disabled, even though the employee record in UKG remains active
How to do it: Add a Platform Configuration field, such as DisableNetworkAccount, and update the Enable Account mapping with the following conditional expressions:
WHEN
PlatformConfig.Employment.DisableNetworkAccount == true
THEN
false
WHEN
Employment.EmployeeStatusCode == "T"
THEN
false
WHEN
Employment.EmployeeStatusCode.OneOf("A", "L")
THEN
true
WHEN
Default
THEN
IgnoreThese conditions will check if the HR team has set the account to disabled. If they have, then Connect to AD will disable the account. The remaining conditions check the employee status code to determine whether the account should be enabled.
Keep a terminated employee’s user account enabled
Use case requirement: Keep the network account enabled, even if the employee has been terminated in UKG.
Solution: Add support in UKG to indicate that a network account should remain enabled, regardless of their current employment status.
How to do it: Add a Platform Configuration field, such as KeepNetworkAccountEnabled, then update the Enable Account mapping with the following conditional expressions.
WHEN
Employment.EmployeeStatusCode == "T" && PlatformConfig.Employment.KeepNetworkAccountEnabled == true
THEN
true
WHEN
Employment.EmployeeStatusCode == "T"
THEN
false
WHEN
Employment.EmployeeStatusCode.OneOf("A", "L")
THEN
true
WHEN
Default
THEN
Ignore
Prevent re-enabling manually disabled accounts
Use case requirement: Allow the IT team to manually disable network accounts and prevent them from being re-enabled, even if they are still active in UKG.
Solution: Use the account’s status and location to ensure it stays disabled.
How to do it:
WHEN
user.enabled == false && user.container != 'OU=Disabled Users'
THEN
Ignore
WHEN
Employment.EmployeeStatusCode.OneOf("A", "L")
THEN
true
WHEN
Employment.EmployeeStatusCode == "T"
THEN
false
WHEN
Default
THEN
IgnoreThese conditions will check if the IT team has disabled the account manually (and they did not move it to the Disabled Users OU). Any account that is in a disabled state and that is not in the Disabled Users OU will remain disabled.
Comments
0 comments
Please sign in to leave a comment.