Biju,

We don't use HCM/VDS - we have a custom feed that our SAP HR Support team has produced and we read this into the identity center to manage employee access in IdM.

Having said that, we are relying on the status field like you are - we use the text field instead of the numeric code but otherwise there is really no difference.

Here is our flow in a nutshell:

We read in HR data related to user access in a To Identity Store pass that includes an attribute called 'HR_EVENT'. This attribute is excluded from the Delta which we have enabled for this pass. The attribute value is the system parameter for current date/time, and the attribute has an event trigger on add or modify that routes a user to a Role Assignment ordered group.

As an alternative - you can assign the HR_EVENT attribute with a time to live of one minute and set the event trigger to delete - the advantage is you 'clean up' this attribute from the user record, the disadvantage is that you lose the time stamp that could be helpful to tell you the last time something changed on the user in the HR feed.

To continue, the Role Assignment ordered group (obviously you can call this whatever you want) can then have one or more conditional tasks that looks at the user's status and other business logic you may need. So for instance, the first conditional task says:

select distinct count from mxiv_sentries
where mskey = %MSKEY%
and mskey in
(select distinct count from mxiv_sentries 
where attrname = 'hr_status' and searchvalue = '3')

If the statement returns True the user is active and can be handled however you like in that case. If the statement returns False we set MX_Disabled to 0, copy MXREF_MX_ROLE to an attribute called ARCHIVE_ROLES and then blank MXREF_MX_ROLE which deprovisions the user.

Note: You may want to leave some access on an Inactive user depending on how your organization uses this status - for us we leave a role on Inactive users that allows them to access email.

Hope this helps.

-Geoff