A practitioner guide to design Joiner-Mover-Leaver (JML) process in IAM - IT Security Pundit
ads header

Friday, August 1, 2025

Home IAM Identity and Access Management Identity Governance Identity Management JML Joiner Mover and Leaver A practitioner guide to design Joiner-Mover-Leaver (JML) process in IAM

A practitioner guide to design Joiner-Mover-Leaver (JML) process in IAM

The Joiner-Mover-Leaver (JML) process is a key business control within Identity and Access Management (IAM) that ensures the right people have the right access at the right time.

  • Joiner – Fast, secure access for new employees and contractors.
  • Mover – Access updated immediately during role or department changes.
  • Leaver – All access revoked when individuals leave, reducing security risks.

Business Value

  • Accelerates productivity for new hires
  • Strengthens security by preventing unnecessary access
  • Ensures compliance with regulations like GDPR and SOX
  • Streamlines operations through automation

An effective JML process protects sensitive data, enhances employee experience, and reduces business risk.

1.1 Introduction to the JML Process in IAM

The Joiner-Mover-Leaver (JML) process is a critical business control within Identity and Access Management (IAM), designed to manage user access efficiently and securely throughout their journey with an organization. It ensures that employees, contractors, and partners have the right access when they need it—and lose access the moment they no longer require it.

In today's digital business environment, where data privacy, cybersecurity, and compliance are essential, the JML process plays a vital role in protecting sensitive information, reducing risk, and supporting operational productivity.

Why JML Matters for the Business?

Faster Onboarding (Joiner)

New employees or contractors get access to essential systems (email, applications, collaboration tools) from day one, reducing time-to-productivity and improving the employee experience.

Agile Role Changes (Mover)

When people change roles or departments, their access is updated automatically, preventing unnecessary delays and ensuring alignment with business responsibilities.

Secure Offboarding (Leaver)

Immediate deactivation of accounts and access upon employee exit reduces security risks, protects intellectual property, and ensures regulatory compliance.

Business Benefits of an Effective JML Process

  • Improved Employee Productivity — Access is granted on time, aligned to roles.
  • Stronger Security Posture — Reduces risks from over-provisioned accounts or lingering access.
  • Regulatory Compliance — Supports controls required by frameworks like GDPR, SOX, ISO 27001.
  • Operational Efficiency — Automation reduces manual work for IT and HR teams.
  • Audit Readiness — Clear visibility into who has access, when, and why.

In short, JML is not just an IT function—it's a critical enabler of secure, efficient, and compliant business operations.

1.2 What is the JML Process?

In Identity and Access Management (IAM), the JML process refers to the Joiner-Mover-Leaver lifecycle. It is a framework for managing user identities and their access to systems and data throughout their time in an organization.

  • Joiner : A new user (employee, contractor, partner, etc.) joins the organization. Their identity is created, and appropriate access is provisioned based on their role.
  • Mover : A user changes roles, departments, or responsibilities. Their access must be reviewed and updated (granted/revoked) to align with their new duties.
  • Leaver : A user leaves the organization. All access must be promptly and completely revoked to prevent orphan accounts and insider threats.


Goals of the JML Process

  • Ensure timely and appropriate access provisioning.
  • Maintain least privilege by updating access during role changes.
  • Prevent access misuse by revoking permissions immediately when users exit.
  • Enhance auditability and compliance with regulations (e.g., GDPR, HIPAA, SOX).

How IAM Tools Support JML

  • Joiner : Auto-provision accounts, group memberships, and access based on HR feed or identity sources.
  • Mover : Detect role changes via integration with HR systems; trigger access reviews or dynamic role reassignment.
  • Leaver : Automatically disable accounts, revoke tokens, notify application owners, and trigger access recertification workflows.

Typical Tools Involved

  • HR systems (Workday, SAP SuccessFactors)
  • Identity Governance Platforms (SailPoint, Saviynt, Okta IGA)
  • Access Management (Azure AD, Okta, Ping)
  • Directory Services (Active Directory, LDAP)

Risks Without JML Controls

  • Excessive or lingering access
  • Orphaned accounts
  • Increased attack surface
  • Compliance violations

2 Designing and implementing the Joiner process

Designing and implementing the Joiner process in Identity and Access Management (IAM) involves automating and governing the provisioning of digital identities and access rights when a new user (employee, contractor, etc.) joins the organization.

Here's a step-by-step guide:

2.1 Define the Joiner Use Case

  • Who are joiners? Employees, contractors, vendors.
  • Entry points: HRMS, recruitment systems, or service management platforms (like Workday, SAP, ServiceNow).
  • Types of joiners: Full-time, interns, third-party users.

2.2 Process Design Overview



2.3 Key Process Steps

2.3.1 Trigger Event Detection

Source: HR system or user request triggers the joiner process.

Example: New hire entry in HRMS (e.g., Workday) with joining date and role.

2.3.2 Identity Creation

  • Generate a unique identity ID (e.g., john.doe@company.com)
  • Assign attributes: name, employee ID, department, manager, location, role, etc.
  • Store in Identity Repository (LDAP/AD/IAM DB)

2.3.3 Provisioning Accounts

Automatically create accounts in:

  • AD/LDAP
  • Email Systems (e.g., Exchange, O365)
  • Enterprise Applications (ERP, CRM, etc.)
  • Account details and credentials managed securely (SSO integration if applicable)

2.3.4 Access Assignment

Use Role-Based Access Control (RBAC) or Attribute-Based Access Control (ABAC)

Assign:

  • Default entitlements (e.g., email, VPN, intranet)
  • Department-specific apps and resources
  • Manager-suggested or approved access

2.3.5 Notifications & Approvals

  • Notify user, manager, IT support
  • Include onboarding instructions
  • Capture access approval via workflow if needed

2.3.6 Audit Logging

  • Log every action (identity creation, account creation, role assignment)
  • Ensure audit trail is compliant (e.g., SOX, GDPR)

2.4 Testing and Exception Handling

Test scenarios:

  • Joiners with future start dates
  • Joiners without manager assigned
  • Multiple roles
  • Handle errors: Missing data, failed provisioning, approvals not completed

2.5 Tools & Technologies

  • IAM Platforms: SailPoint, Saviynt, ForgeRock, Ping, Azure AD
  • Workflow Engines: ServiceNow, custom BPMN
  • Integration: REST/SOAP APIs, SCIM, connectors for HRMS and applications

2.6 Lifecycle Integration

Make sure Joiner process integrates with:

  • Mover process (role change, location change)
  • Leaver process (access revocation, account disablement)

2.7 Metrics and KPIs

Track:

  • Time to onboard new user
  • Access request turnaround time
  • Joiner errors/exceptions
  • Compliance violations or orphan accounts

3 Designing and implementing the Mover process

The Mover process in IAM handles identity and access changes when a user’s role, department, location, or job responsibilities change. It ensures that the user's new access rights are granted, and obsolete ones are revoked, maintaining security, compliance, and user productivity.

3.1 What Triggers a Mover Event?

  • Department Transfer
  • Role or Title Change
  • Location Shift
  • Change in Manager or Cost Center
  • Temporary Assignment or Project Rotation

Triggers typically come from:

  • HRMS updates (e.g., Workday, SAP SuccessFactors)
  • Manual input via ServiceNow or ITSM tools
  • Manager self-service workflows

3.2 Key Steps in the Mover Process

3.2.1 Detect Change Event

  • Integration with authoritative source (HRMS, AD, IAM DB)
  • Compare current vs previous identity attributes
  • Use rules or change detection logic to identify a "mover" event

3.2.2 Evaluate New Access Needs

  • Use Role Mining, RBAC, ABAC, or policy engine
  • Determine what access is no longer needed (revoke)
  • Determine new access needed (assign)

3.2.3 Recalculate Roles & Entitlements

  • Remove old department/project roles
  • Assign new role-based or dynamic entitlements
  • Apply segregation of duties (SoD) checks

3.2.4 Access Approval (if required)

  • Notify manager and application owners
  • Route access requests via workflow for approval (optional)

3.2.5 Provisioning & De-Provisioning

Use IAM tool connectors to:

  • De-provision legacy system access
  • Provision new system roles, folders, groups, etc.
  • Can use SCIM, API, or custom connectors

3.2.6 Notify Stakeholders

  • Inform the user of changes
  • Alert manager or IT if manual follow-up is needed

3.2.7 Audit Logging & Reporting

Maintain detailed audit trail of:

  • Changes detected
  • Access revoked and granted
  • Approval decisions

3.3 Security & Governance Considerations

  • Orphaned access is a major risk if old access isn't removed.
  • Apply least privilege principle.
  • Ensure SoD violations are flagged (e.g., finance + audit access).
  • Schedule periodic access certifications post-move.

3.4 Tools and Integration

  • IAM Platforms: SailPoint, Saviynt, Okta, ForgeRock, Microsoft Entra ID
  • Data Sources: HRMS (Workday, SAP), ITSM (ServiceNow), AD
  • Technologies: REST APIs, SCIM, Event-driven triggers, ETL jobs

3.5 Metrics to Track

  • Number of mover events processed
  • Average time to complete mover workflows
  • % of users with outdated or excessive access
  • Number of SoD violations detected/resolved


4 Designing and implementing the Leaver process

Designing and implementing a Leaver Process in Identity and Access Management (IAM) is critical to prevent unauthorized access, data leaks, or compliance violations when a user leaves the organization (resignation, termination, retirement, or contract end).

4.1 What Triggers a Leaver Event?

  • Employee resignation/termination recorded in HRMS (e.g., Workday, SAP)
  • End of contract for third-party users
  • Transfer to external entities
  • Death or long-term absence cases

4.2 Key Steps in the Leaver Process

4.2.1 Detect Termination Event

  • Integration with HRMS or ITSM systems
  • Scheduled feeds or real-time APIs detect:
  • Immediate termination (involuntary)
  • Future-dated termination (resignation notice period)

4.2.2 Initiate Identity Deactivation

  • Disable IAM identity profile
  • Disable directory accounts (AD, LDAP, Azure AD)
  • Mark status as "Inactive" or "Terminated"

4.2.3 Access De-Provisioning

Revoke:

  • Application accounts (ERP, CRM, Cloud apps)
  • VPN, Email, Collaboration tools
  • Physical access (badges, biometrics)
  • Ensure privileged accounts are disabled or credentials rotated

4.2.4 Recovery of Assets & Data

  • Notify IT for hardware return (laptops, phones, tokens)
  • Transfer email inboxes, shared drives, or project files to manager/team

4.2.5 Notify Stakeholders

Alert:

  • Manager
  • IT Operations
  • Facilities team
  • Security teams (for high-risk terminations)

4.2 Audit, Compliance, and Record Keeping

Log:

  • Deactivation timestamps
  • Access revocation confirmations
  • Ensure compliance with: GDPR (right to be forgotten) and SOX, ISO 27001 controls

4.3 Special Scenarios to Address

  • Immediate Termination : Revoke all access instantly
  • Notice Period Active Users : Limit access, monitor activities
  • Third-party End Date : Scheduled de-provisioning with prior alerts
  • Retirees with Email Access : Limited retention policies

4.4 Tools & Technology Integration

  • IAM Platforms: SailPoint, Saviynt, ForgeRock, Okta, Microsoft Entra ID
  • HRMS: Workday, SAP, Oracle HCM
  • ITSM: ServiceNow, Remedy
  • Provisioning: SCIM, APIs, Connectors for apps and infrastructure

4.5 Metrics & Controls

  • Time to revoke all access
  • % of terminations with delayed de-provisioning
  • Orphan account reports
  • Periodic reconciliation to detect missed leavers

4.6 Governance Considerations

  • Reconciliation processes to detect lingering access
  • SoD policies applied to dormant or inactive accounts
  • Automation wherever possible to avoid human error

5 Conclusion

The Joiner-Mover-Leaver (JML) process is a core component of Identity and Access Management (IAM) that governs the entire lifecycle of user identities within an organization. It ensures that users have the right access at the right time based on their employment status, and that this access is removed when no longer needed.

Organizations face significant security, compliance, and operational risks if user access is not properly managed during employee onboarding, internal movement, or offboarding. The JML process addresses these risks by automating and standardizing identity provisioning, modification, and de-provisioning across all systems and applications.

In modern IAM implementations, the JML process is integrated with HR systems, directory services, and access management platforms, enabling seamless, policy-driven identity lifecycle management.

Tags
Author Image

About Ashish Shrivastava
22 years of diversified experience in the space of Cyber Security and Application Development with accelerated growth and varied roles starting from developer, architect, consultant, pre-sales, delivery, transitions, innovation, automation and transformations, program management, business development, competency development and business leadership roles. At present heading the market development team focused on “Identity and Access Management Solutions” globally.

By at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)