Account Lifecycle Management Overview
Account Lifecycle Management (ALM) in Apporetum provides your organisation with the tools to manage user accounts from initial provisioning through to the retirement of an identity. This section covers the key features that make up Apporetum's ALM capabilities, including the state model, run history, provisioning flow, and mail templates.
By implementing Account Lifecycle Management, your organisation ensures that all accounts are created, used, modified, and retired in accordance with your identity governance policies. This goes beyond simple account creation and deletion — it manages the complete journey a user may experience within your organisation, including pre-boarding entitlements, on-boarding, role changes, entitlement changes, and account dormancy.
What is Account Lifecycle Management?
Account lifecycle management is the process of managing user accounts across every stage of an identity's time within your organisation. Apporetum provides core capabilities to manage each of these stages and the rules and triggers that govern them, ensuring that access is always aligned with organisational policy.
Managing account lifecycles can be a time-consuming process without the right tooling. Apporetum enables you to automate account lifecycle transitions by defining business rules and event triggers that automatically move accounts between states and execute predefined actions, eliminating the need for manual oversight.
Apporetum also supports automatic user provisioning and deprovisioning, syncing directly from your organisation's HR or workforce management systems into Microsoft Entra ID and/or Active Directory. This ensures that when employees join, change roles, or leave the organisation, their identities are updated accordingly without manual intervention.
The pre-onboarding capability allows your organisation to configure required access packages and entitlements before a user's start date, ensuring they have the right access from day one.
Example: A complete employee lifecycle
The diagram below shows a typical lifecycle journey for an employee — from pre-boarding through to termination. Each box represents a state. Each arrow represents a transition that fires when its trigger conditions are met.
Your organisation may configure multiple lifecycle flows within a single state model to reflect different user or account types. For example, you can split the lifecycle paths based on employees or contractors or any account attribute.
What is the State Model?
A state model in Apporetum defines the complete lifecycle journey of user accounts within your organisation. It maps out the possible states an account can hold and the rules governing transitions between those states.
The five core components
The state model is built from five interdependent components that work together to automate lifecycle management.
| Component | Purpose | Example |
|---|---|---|
| Entry Point | The initial state an account is assigned to that allows it to enter the state model. This is set by the system. | The state will be either Discovered or New Starter |
| State | Represents a point in the identity lifecycle. An account will always have a state | Active, On Leave, Terminated, Inactive, Dormant, Etc. |
| Transition | The pathway between two states that an account takes | Active → On Leave, Active → Inactive |
| Trigger | The condition attached to a transition that causes an account to transition from one state to another | LeaveStartDate equals today |
| Action | The automated task performed on an account when it transitions from one state to another | Harvest entitlements, send email to manager, move OU |
Apporetum provides two built-in Model Entry Points. These are the states that an account is initially assigned to. These cannot be removed:
- New Starter Entry Point — Accounts that are newly added to your identity data from a workforce feed will be set to this state.
- Discovered Accounts Entry Point — Accounts that are found during a data source sync of a directory that have been created outside the IAM/IGA system's processes.
All other states are configured by your organisation to reflect your specific identity governance policies.
State model versions
Apporetum maintains up to two instances of the state model at any time.
| Version | Purpose |
|---|---|
| Published | The active model currently governing your identity landscape. Published state models represent the active configuration governing your identity landscape and can be scheduled to run automatically. |
| Draft | A working copy that can be edited freely without affecting the published model or production data. Draft state models can be modified without affecting production data, and simulations can be run to validate behaviour before publishing. |
For information on how to configure a state model, see Configuring the State Model.
State Model Run History?
Apporetum's ALM run history feature provides a complete audit trail of all state model executions. It shows when transitions occurred, what triggered them, and what actions were performed.
This visibility allows your organisation to:
- Monitor account lifecycle changes in real time
- Investigate unexpected state changes using the Audit tab
- Verify that access controls are functioning as intended
- Produce evidence for compliance audits and certifications
The detailed execution records demonstrate that your identity governance processes are operating according to policy.
For information on how to view and interpret run history, see ALM Model Run and Run History.
What is a Provisioning Flow?
The Provisioning flow is a configured path that determines how identity data, from your organisation's workforce sources, is processed and transformed into user accounts in your identity ecosystem.
Provisioning automation reduces manual effort and errors, and ensures that accounts in your directory remain synchronised with your workforce data. The provisioning flow integrates with Microsoft Entra ID through Microsoft's Entra ID API driven provisioning service and agent, which acts as the execution layer for Apporetum.
The key components of the provisioning flow are:
| Component | Description |
|---|---|
| Workforce Feed Integration | Connects to HR system data sources, including CSV files or direct integrations. |
| Person-to-Identity Mapping | Defines transformation rules that convert HR data fields into identity attributes. |
| Account Type Assignment | Determines what type of account should be created based on employee attributes. |
| Automated Provisioning | Triggers automatic create/update/delete request of user accounts to the Entra ID API driven provisioning service based on configured rules. |
For configuration guidance, refer to Configure Provisioning Flow in the Install documentation.
ALM Mail Templates
ALM Mail templates allow your organisation to create and manage the email notifications that are sent when an account transition includes a Send Email Notification action. You can create or edit templates and configure the timing and trigger conditions for each notification. Templates are managed and designed using the Apporetum UI.