🔄 IGA Lifecycle Events

User Account and Permission Lifecycle Management

Joiner Mover Leaver

Overview

Identity Governance and Administration (IGA) lifecycle management encompasses the complete journey of user identities and their associated permissions from creation through modification to termination. This is commonly referred to as the "Joiner-Mover-Leaver" (JML) lifecycle.

IGA orchestrates automated provisioning, role-based access control, approval workflows, and comprehensive audit trails to ensure users have the right access at the right time while maintaining security, compliance, and operational efficiency.

1

JOINER - Onboarding/Provisioning

When a new employee joins the organization

Authoritative Source Integration

  • HR system triggers identity creation with new hire data
  • Employee attributes synchronized (department, job title, manager, location)
  • Unique identifier generation (employee ID, username)
  • Account creation in identity repository (Active Directory, cloud directory)

Birthright Access Provisioning

  • Automatic assignment of baseline access based on role/department
  • Standard applications for all employees (email, collaboration tools, intranet)
  • Department-specific default access
  • Location-based access (building access, local network resources)

Role-Based Access Assignment

  • Job title triggers automatic RBAC role assignment
  • Position-based roles (e.g., "Sales Representative" role)
  • Organizational unit roles (Finance team access)
  • Composite roles combining multiple entitlements

Approval Workflows

  • Manager approval for standard access package
  • Security review for elevated privileges
  • Application owner approval for specialized tools
  • Multi-level approvals for high-risk access
Example Joiner Flow:
New Marketing Manager hired
HR System: Creates employee record
IGA: Detects new hire via HR integration
Auto-assigns: "Employee" + "Marketing Team" + "Manager" roles
Birthright access: Email, Office 365, Intranet, Badge access
Role-based access: Marketing platforms (HubSpot, Adobe Creative Suite)
Manager access: Team management tools, reporting dashboards
Approval workflow: Marketing Director approves specialized tools
Provisioning: All accounts created within 24 hours
Result: Employee ready to work on Day 1
2

MOVER - Changes/Transfers

When employees change roles, departments, or responsibilities

Role Change Detection

  • HR system updates trigger IGA workflows
  • Department transfer, promotion, demotion, lateral move
  • Manager change, location change
  • Job title modification

Access Impact Analysis

  • Compare current access to new role requirements
  • Identify access to be added
  • Identify access to be removed
  • Flag access requiring recertification

Segregation of Duties (SoD) Enforcement

  • Check for policy violations in new role
  • Prevent conflicting role combinations
  • Escalate SoD violations for risk acceptance
  • Implement compensating controls if needed

Grace Period Management

  • Temporary overlap period for knowledge transfer
  • Scheduled automatic revocation after grace period
  • Extended access with business justification
  • Manager accountability for extended access
Example Mover Flow:
Finance Analyst promoted to Finance Manager
HR System: Updates job title and department
IGA: Detects role change
Access Analysis:
• Keep: Finance applications, general tools
• Remove: Individual contributor access, specific data sets
• Add: Manager role, team oversight tools, approval authorities
SoD Check: New approval authority conflicts with existing access?
Workflow: VP Finance approves manager access
Provisioning: Revoke analyst-level, grant manager-level permissions
Grace Period: 30 days to complete handoff of analyst responsibilities
Result: Seamless transition with appropriate access
3

LEAVER - Offboarding/Deprovisioning

When employees leave the organization

Immediate Access Revocation

  • Disable primary account (AD/directory)
  • Revoke network and VPN access
  • Disable email (or convert to shared mailbox)
  • Revoke physical access badges
  • Disable MFA tokens

Privileged Access Priority Deprovisioning

  • Immediate removal of administrative rights
  • Vault password changes for shared privileged accounts
  • Disable privileged sessions
  • Revoke emergency/break-glass access
  • Change service account passwords if known by user

Comprehensive Account Deprovisioning

  • Systematic removal from all connected applications
  • Revoke licenses (cost recovery)
  • Remove from all groups and roles
  • Archive or delete accounts per policy
  • Transfer ownership of files/documents

Orphaned Account Prevention

  • Identify accounts not automatically deprovisioned
  • Manual review of unconnected systems
  • Application-specific account cleanup
  • Regular orphaned account audits
Example Leaver Flow:
Sales Manager resigns (2-week notice)
HR System: Sets termination date
IGA: Creates deprovisioning workflow
Immediate Actions (on last working day):
• Disable AD account at 5 PM
• Revoke VPN and remote access
• Disable MFA devices
• Deactivate building access badge
Privileged Access: Remove admin rights, change shared passwords
Grace Period (7 days): Email forwarding, read-only file access
Complete Deprovisioning: Remove all access, revoke licenses, archive
Final Certification: IT confirms removal, Security reviews logs
Result: Complete, auditable offboarding

Supporting IGA Lifecycle Capabilities

Access Request Management

Handle exception-based access requests beyond automated lifecycle events with risk-based approval routing, time-bound access with auto-revocation, and self-service portal for user-friendly access requests.

Access Certification

Periodic validation that access remains appropriate through certification campaigns where managers, application owners, and role owners certify access with quarterly reviews for privileged access.

Segregation of Duties (SoD)

Prevent conflicting access that enables fraud through policy definition, real-time enforcement, and continuous SoD violation detection with risk dashboards for management.

Role Management Lifecycle

Roles themselves have lifecycles including role mining from existing access, role engineering based on business needs, regular role reviews and optimization, and role retirement processes.

PAM Integration

IGA lifecycle events extend to privileged access with additional approvals, PAM account vaulting, session recording, and immediate privileged access revocation for leavers.

Compliance Reporting

Comprehensive audit trails for all lifecycle events, automated compliance reporting for SOX, GDPR, HIPAA requirements, and demonstrable access controls for auditors.

How Identity Co-Analyst (ICA) Supports Lifecycle Management

Lifecycle Requirements Gathering

Joiner Process Requirements

  • • What triggers user creation? (HR system, manual request)
  • • What birthright access should be automatic?
  • • How should roles be assigned?
  • • What approval workflows are needed?
  • • How fast should provisioning occur?
  • • What systems require Day 1 access?

Mover Process Requirements

  • • What HR changes trigger access modifications?
  • • How should access changes be evaluated?
  • • What approvals are needed for role changes?
  • • How long should grace periods last?
  • • When should recertification occur?
  • • How are SoD conflicts handled?

Leaver Process Requirements

  • • What triggers deprovisioning?
  • • Which systems require immediate revocation?
  • • What grace periods are allowed?
  • • How are privileged accounts handled?
  • • What data archival is required?
  • • How are orphaned accounts prevented?

Conversational Requirements Capture

ICA's AI-powered interface makes it easy for stakeholders to describe current processes in plain language, identify pain points, define desired future state, capture approval hierarchies, document exception scenarios, and specify system integration needs.

Automated Documentation Generation

ICA produces professional requirements documents covering detailed lifecycle workflows, role assignment logic, approval matrix, provisioning timelines, deprovisioning procedures, compliance requirements, and integration specifications.

Benefits of Effective Lifecycle Management

Security Benefits

  • Reduced risk of unauthorized access
  • Timely removal for terminated employees
  • Prevention of privilege creep
  • Enforced segregation of duties
  • Comprehensive audit trails

Compliance Benefits

  • Regulatory requirement satisfaction
  • Demonstrable access controls
  • Complete lifecycle documentation
  • Periodic access recertification
  • Audit-ready reports

Operational Benefits

  • Faster onboarding (Day 1 productivity)
  • Reduced IT help desk tickets
  • Automated provisioning reduces errors
  • Consistent access across all users
  • Lower administrative overhead

Cost Benefits

  • License reclamation from departures
  • Reduced manual provisioning effort
  • Prevention of security incidents
  • Improved employee productivity
  • Lower audit and compliance costs

Key Success Factors

Strong HR Integration

Accurate, real-time employee data with reliable termination notifications and comprehensive attribute synchronization.

Well-Defined Roles

Business-aligned role definitions with clear role ownership and regular role maintenance procedures.

Automated Provisioning

Connector-based application integration, API-driven provisioning where possible, with documented fallback manual processes.

Clear Approval Processes

Defined approval authorities with risk-based approval routing and SLA-driven approvals for timely access.

Regular Certification

Scheduled access reviews with manager accountability and streamlined certification tools for efficiency.

Continuous Improvement

Monitor lifecycle metrics, identify process bottlenecks, optimize based on feedback, and adapt to organizational changes.