Ingested Contractors

UPN Display Name Status Connectors Contract End AD Expiry Manager (click to edit) Last Attested Actions
Loading…

Contractors

The Contractor Module tracks active contractors, monitors their access through continuous manager check-ins, and triggers the standard offboarding pipeline the moment a departure is confirmed. No contractor account is offboarded without explicit manager confirmation.

How It Works

1
Ingest from source of truth A CSV or JSON roster of active contractors is dropped into the Contractor Drop Zone (contractors/ingest/{tenant}/) by your procurement or vendor management system. The system stages each contractor as a candidate — no access is changed at this point. Records are upserted: additions and changes are applied, missing records move to pending review rather than being auto-offboarded.
2
Determine email cadence from available signals At ingest time the system reads two signals to decide how to communicate with the manager. The cadence is applied automatically — no manual configuration per contractor is required.
Contract end date AD account expiry Cadence applied
Set Any Monthly heartbeat + T-30 / T-7 / T-0 off contract end date
Not set Set in AD Monthly heartbeat + T-30 / T-7 off AD expiry. AD self-disables at T-0; agent confirms.
Not set Not set Monthly full attestation only. Upgrades to date-anchored cadence automatically if agent discovers an AD expiry date.

Suppression rule  If a T-30 or T-7 email was already sent this calendar month, the monthly heartbeat is skipped for that contractor. Managers receive at most one email per contractor per month.

3
Monthly heartbeat to manager Every active contractor receives a monthly check-in email sent to their assigned manager. For contractors with a known end date the email is a lightweight confirmation: "Is Jane Smith still active, or has she left early?" Each contractor has individual one-click buttons — clicking is the action, no portal login required. Tokens are HMAC-signed, 48-hour TTL, single-use.
4
Date-anchored reminders as the contract end approaches When a contract end date or AD expiry is known, the system sends targeted reminders at T-30 days and T-7 days asking the manager to confirm extension or approve offboarding. No response by T-0 triggers the offboard job automatically (if auto-offboard is enabled for this tenant).
5
Escalation on non-response If a manager does not respond to any email within the configured grace period (default: 5 business days), the system escalates to their skip-level manager, resolved automatically from the AD manager attribute chain. The escalation email lists all pending contractors and grants the skip-level manager the same one-click action buttons.
6
Manager confirms departure — existing offboard pipeline fires When a manager clicks "No longer active — remove access now", the system calls the standard offboarding ingest endpoint (POST /api/tenants/{tenant}/offboarding/ingest) with the contractor's UPN. From this point the workflow is identical to an HR-submitted offboard: the agent disables the AD account, removes privileged group memberships, and writes an evidence record. The manager receives a confirmation email when complete.
7
AD attribute scan — safety net The offboarding agent scans AD on every poll cycle for accounts matching contractor indicators (OU, group, or employeeType attribute). Any contractor account not present in the registry is surfaced as an unregistered finding in the review queue below. The agent also reads accountExpires from each matched account and writes it back to the registry, allowing the cadence to upgrade from monthly attestation to date-anchored automatically.

HCM Overlap — Safety Net

In most cases HR does not manage contractors. The Contractor Module operates independently of the HCM drop zone — manager confirmation is the primary and expected offboard trigger for contractors. However, in the event that HR does submit an offboard request for a contractor UPN via the HCM drop zone, the system handles it gracefully: the contractor record is closed, all pending manager emails are suppressed, and the manager will not receive further check-in emails for that person. If the manager subsequently clicks "remove access" for the same UPN, the system returns the existing job rather than creating a duplicate. This logic exists as a safeguard only.

Email Notifications

Configure which emails are sent and when. All emails use one-click tokenised buttons — no portal login required for manager responses.

Heartbeat & Attestation
Date-Anchored Reminders
days before contract end
Asks manager to confirm extension or approve offboarding on schedule.
days before contract end
Last notice before T-0. Access will be removed unless an extension is confirmed.
Post-Action Notifications

Configuration

Settings apply to all contractors for this tenant. Changes take effect on the next scheduled sync or heartbeat cycle.

Module pending deployment. Configuration will be active once the Contractor Module API endpoints are deployed. Settings saved here will be applied at that time.
Drop Zone
Managed by the platform. Drop contractor roster files here to trigger a sync.
CSV minimum columns: upn, manager_upn, contract_end. Optional: display_name, vendor, department.
How often the system pulls from the source of truth. Manual sync is always available below.
Attestation Schedule
How often managers receive a check-in email for active contractors. Applies to all contractors regardless of whether a contract end date is set.
Day of month the heartbeat email cycle runs. Date-anchored reminders (T-30, T-7) are sent independently of this setting.
Grace Period & Escalation
business days
Days before an unanswered attestation email escalates to the skip-level manager.
Fallback UPN used when the AD manager chain cannot be resolved.
Offboard Action
Disable-only is useful when group membership history needs to be preserved for compliance review before removal.
Auto-offboard is an opt-in safeguard. Enable only when manager response rates are consistently reliable.
Date Discrepancy Threshold
days
A discrepancy warning is surfaced in the contractor review table. The contract end date always takes precedence for cadence scheduling.

Contractor Flow

Configure how the platform handles contractor lifecycle events — attestation requirements, auto-offboard behaviour, and HR approval gates.

Attestation & Approval
When unchecked, offboard jobs are created immediately on contract end without waiting for manager confirmation.
Adds a second approval gate — useful for SOC 2 separation of duties.
Auto-Offboard on Timeout
Off by default. Enable only when manager response rates are consistently reliable.
days after notice email is sent
Offboard Action

Email Templates

Customise the subject and body of each email type. Use {{variable}} placeholders — they are replaced at send time.

Available variables:
{{contractor_name}}   {{contractor_upn}}   {{manager_name}}   {{manager_upn}}   {{contract_end}}   {{vendor}}   {{department}}   {{attest_url}}   {{offboard_url}}
Lines starting with [Label] followed by a URL are rendered as styled buttons in the sent email.

Blob Drop Zone

Your procurement or vendor management system can drop contractor roster CSVs directly into Azure Blob Storage. The API polls every minute, processes each file, upserts contractor records, and deletes the blob automatically.

Container: contractor-drop
Path pattern: {tenant}/{filename}.csv
Poll interval: Every 1 minute
Error log: {tenant}/errors/{filename}.csv.txt

Manual Sync

Trigger a sync from the source of truth or upload a contractor roster CSV directly. The system will upsert records and apply the cadence logic immediately.

Upload contractor roster (CSV or JSON)
Drop file here or
Trigger scheduled pull now
Pulls the latest roster from the configured source of truth and upserts the contractor registry. Does not affect contractors already in offboarding or offboarded status.