We are importing the DEM first and then generating the Authorization records based on the imported data. The DEM import creates (if not already there) all the attributes such as employees, diagrams, roles sessions etc. and also creates the relationships, such as Employee to Role relationship. If then an Employee is removed/deleted from DEM and we do a new import, it overwrites / resets the existing data and relationships. If however the employee is deleted from the DEM, its record is no longer there, nothing gets reset and thus the Employee Role relationship remains in the Dynaflow Compliance Repository and results in authorizations if the Access Scan is done.
So to avoid the above situation, it would be best if an employee is no longer active, to leave the employee in the DEM, remove all DEM roles that are linked to this employee and use the end of employment date. When the next DEM import is done, and the end of employment date is today or earlier, the employee is expired. Since there are no longer any roles associated to the employee, the reset of the relationships will remove the roles and all is ok.
If however the employee is deleted from the DEM , there is the option to “Purge EZ-Process/DEM Role relationship” in the administration section of the client. This option will remove all Employee Role relationships in the Dynaflow Compliance tables. If then an access scan is done no authorizations are generated for the user which was deleted and if the detect terminated employees is checked, these employees are also expired. (note that when using the detect expired employees, you should avoid using any filters on for example employees or roles etc.)
So there are 2 ways to coop with this situation:
Option1
Option 2