# New hire

Before you configure a new hire workflow, define **birthright access**.

## Birthright access

A **birthright** in OpenIAM is baseline access assigned automatically when a user is created. OpenIAM applies this access through predefined **business rules**.

For example, users with a specific job title can receive the roles for that function automatically.

Use the matrix and example below to define these rules.

| Rule Name | Inclusion criteria                                                    | Access                                                                      | Exclusion criteria                                                        |
| --------- | --------------------------------------------------------------------- | --------------------------------------------------------------------------- | ------------------------------------------------------------------------- |
|           | Criteria that determines when a person should get the defined access. | Entitlements that a person should get when the inclusion criteria are true. | Criteria that prevents a user from getting the defined birthright access. |

**Example:** Accounts payable role

| Rule Name       | Inclusion criteria                                     | Access                                                                                                                             | Exclusion criteria    |
| --------------- | ------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------- |
| Account payable | Department="Finance" and Title="Account payable agent" | AD Group=Account Payable, AD Group=Finance, Shared folder= /some path/finance team, MyERP application Access = Payables agent role | Role=Invoice approval |

## New hire

There are two ways to start a new hire flow in the UI:

* **With approval flow.** Go to **SelfService** → **Access management** → **New user**. To use this option, define approvers for the `NEW_HIRE_WITH_APPROVAL_AR` resource.
* **Without approval flow.** Go to **SelfService** → **Access management** → **New user-NO approver**.

### Create a business rule for role assignment

Business rules let OpenIAM trigger actions on a user when defined conditions are met.

To add a business rule that assigns a role:

{% stepper %}
{% step %}

### Go to Business Rules

Go to **Webconsole** → **Access Control** → **Business Rules**.
{% endstep %}

{% step %}

### Add a new business rule

Select **Add Business Rules**.
{% endstep %}

{% step %}

### Name and describe

Enter a **Name** and **Description**.
{% endstep %}

{% step %}

### Choose operation

Choose an **Operation**:

* **All** — Apply the rule during user creation and updates.
* **Add** — Apply the rule during user creation only.
* **Update** — Apply the rule during user updates only.
  {% endstep %}

{% step %}

### Choose status

Choose a **Status**:

* **Active**
* **Inactive**
  {% endstep %}

{% step %}

### Apply selected rule when conditions match / do not match

Set **Apply selected rule** when conditions match to `target`. This controls which target OpenIAM invokes when the business rule conditions are met.

Set **Apply selected rule** when conditions do not match to `target`. This controls which target OpenIAM invokes when the business rule conditions are not met.
{% endstep %}

{% step %}

### Set conditions

Select and hold, or right-click, **Or** to start building the condition.

* **Add Or** — Group two or more expressions. The condition is true if any expression is true.
* **Add And** — Group two or more expressions. The condition is true only if all expressions are true.
* **Add Expression** — Add a single expression to evaluate. Use negation to reverse the result.
* **Add Groovy** — Run a Groovy script against the user.
* **Edit**
* **Condition**
  {% endstep %}

{% step %}

### Save

Select **Save**.
{% endstep %}
{% endstepper %}

### Check the business rule

Create a test user through the UI or with a CSV file. Make sure the user matches the rule expression exactly. If the user receives the expected access, the rule works.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs-beta.openiam.com/automated-user-provisioning/new-hire.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.