Skip to main content



Enforcement is the process during which HelloID Provisioning performs Grant, Revoke, and Update actions on Entitlements.

To get started, manually Run an enforcement, or Add a schedule with enforcement enabled.


Every organization's user accounts go through a "CRUD" lifecycle: Create, Enable, Update, Disable, Delete. These stages correspond to an employee's status in the organization, from onboarding, to role changes, to promotions, to eventual offboarding. In HelloID, this lifecycle is controlled by entitlements. For example, a granted Account entitlement creates an account, and a granted Account Access entitlement enables the account. Oppositely, a revoked Account Access entitlement disables the account, and a revoked Account entitlement deletes an account.


For an enforcement to do anything at all, at least one of the following must be true:

  1. Something in a has changed since the last enforcement, and a new snapshot has been generated.

  2. One or more Business rules have been modified since the last enforcement.

If neither of these are true, running an enforcement does nothing. To preview the actions that will occur during the next enforcement, see Evaluation.

Related features include:

  • Force update accounts: writes certain changes into Target systems which are not normally be included in an enforcement.

  • Retry failed action: retries a single entitlement action that failed during an enforcement, without performing another full enforcement.

  • Re-enforce an entitlement: re-enforces only a single granted entitlement, without performing a full enforcement.

  • Run with resources: runs a standard enforcement (Run an enforcement), but additionally processes Resources just prior to the enforcement. If resources fail, there is no stop condition. The enforcement continues and all entitlement actions are still attempted. However, any entitlements which depend on failed resources will also fail.

Every enforcement has three steps: Grant, Revoke, and Update.

In the Grant step, HelloID Provisioning grants all pending entitlements (i.e., grants all entitlements slated for addition as per changes in business rules).

These include:


To manually retry a failed grant entitlement action, Retry failed action. Or, to re-enforce a currently granted entitlement, Re-enforce an entitlement.

In the Revoke step, HelloID Provisioning performs all pending revoke actions (i.e., removes all entitlements slated for removal as per changes in business rules).

These include:


To manually revoke an entitlement, Edit a business rule and/or Edit a condition, such that the relevant person(s) are no longer slated to receive the entitlement. To preview your changes, Run an evaluation. The entitlement will be revoked during the next Enforcement.

Compare to the Unmanage step, which removes the entitlement state from HelloID without removing the actual entitlement in the target system.


If there is a conflict in which an entitlement would be both unmanaged and revoked during an enforcement, the unmanage action overrides the revoke action.

The Update step is a special step in enforcement. It occurs when at least one of the following trigger conditions are met:

  • A new snapshot has been generated since the previous enforcement, in which at least one field has changed. See Snapshots.

  • A business rule exists which assigns a Permission entitlement, and it has a contract condition (see Contract conditions), and the specific in-conditions (qualifying) contract has changed for at least one in-scope person.

    For example, person X was previously qualified for the business rule based on contract Y, but is now qualified for the business rule based on contract Z.


    This may occur due to changed data in the contracts themselves, or due to changes in the Conditions of the business rule.

When at least one of these trigger conditions is met during an enforcement, both of the following actions occur:

The Unmanage step is a special step, which causes an entitlement's state to be forgotten in HelloID, but without removing the granted entitlement itself in the external target system (e.g., the user account or group membership).

It occurs in three situations:

When an entitlement is unmanaged, all running and pending enforcement actions for it are canceled.

Compare to the Revoke step, which removes the actual entitlement in the external target system, and not merely the entitlement's state in HelloID.

Unmanaging an entitlement does not prevent the same entitlement from being granted again to the same target account in the future.


If there is a conflict in which an entitlement would be both unmanaged and revoked during an enforcement, the unmanage action overrides the revoke action.

The following chart shows the order in which HelloID performs entitlement actions during an enforcement.


There are eight solid blocks, divided into three types:

Semi-transparent blocks indicate the dependencies for each of these entitlement actions (which are themselves entitlement actions; hence, the chart depicts the order of entitlement action resolution).

Arrows indicate the type of dependency:

  • Critical (solid arrow): The dependent entitlement action will not be run until all dependencies have been successfully resolved (i.e., successfully granted, revoked, or updated, as appropriate).

    For example, an Account entitlement will not be revoked until all Account Access and Permission entitlements for that account have been successfully revoked.

  • Non-Critical (dashed arrow): The dependent entitlement action will not be run until either 1) all dependencies have been resolved regardless of result (success or failure), or 2) 24 hours have passed since the dependent entitlement action was initiated.


Dependent entitlement actions are not immediately triggered upon the resolution of their dependencies. Rather, HelloID Provisioning periodically checks for and runs pending actions in batches.

To view the current status of entitlement actions, View running & pending actions.

The final section in the chart, "Depends on," describes the order of entitlement action resolution when you're using the Share account fields between target systems feature.