HRIS triggered account disable for employee on maternity leave. She lost access to the benefits portal. Now HR wants IT to "fix the process".

Posted by AudienceOwn3845@reddit | sysadmin | View on Reddit | 92 comments

Workday flagged an employee as inactive when her leave started. That status change fed into our Entra provisioning workflow and disabled her account within 48 hours. Standard automation, works fine for actual terminations.

Except she wasn't terminated. She was on maternity leave. And the benefits portal she needed to manage her insurance during leave is behind SSO. Disabled account, can't authenticate, can't access anything.

HR found out when she called them directly. They were not happy. Neither was legal when they got looped in about potential benefits access implications.

We re-enabled the account manually within a few hours but now I'm sitting in meetings where HR wants a "solution" and I'm trying to explain that the problem is that Workday uses the same status field for leave and termination in a way that our provisioning logic can't distinguish cleanly without custom attribute mapping we never built.

The obvious fix is to add a leave type check before any disable action triggers. We're working on that. But what I actually want to know is how other people have handled the edge cases here like specifically accounts that need to stay partially active during leave. Full disable is wrong. Full enable with normal access is also arguably wrong from a security standpoint since they're not working. Is anyone doing a "leave mode" where you scope access down to just HR/benefits apps and strip everything else temporarily?

Curious if there's a pattern here that doesn't require us rebuilding the whole provisioning workflow from scratch.