Skip to main content

Skillber v1.0 is here!

Learn more

Identity Lifecycle Management

Checking access...

Identity Lifecycle Management (ILM) governs how digital identities are created, maintained, and ultimately removed across an organisation’s technology ecosystem. It is the operational foundation of IGA — without effective lifecycle management, identity data becomes stale, access accumulates, and compliance gaps emerge.

The lifecycle is often summarised as Joiner / Mover / Leaver (JML), describing the three major identity events that trigger provisioning and deprovisioning actions.

The Joiner / Mover / Leaver Model

Joiner — Identity Creation

When a new employee, contractor, or partner joins the organisation, their digital identity must be created across multiple systems.

Joiner ProcessAutomation LevelDescription
HR system triggerFully automatedHR system (Workday, SAP SuccessFactors) creates employee record
Account provisioningAutomatedIGA platform detects HR event, creates accounts in AD, SaaS apps, directories
Role assignmentRule-basedBase roles assigned based on department, location, job code
Access provisioningAutomatedSCIM provisioning pushes entitlements to target systems
Credential issuanceSemi-automatedTemporary password generated, MFA enrollment initiated
Welcome communicationAutomatedNew hire email with access instructions, training links, policies

Joiner SLA targets:

  • Account creation: Within 1 hour of HR record creation (automated)
  • Base role assignment: Within 4 hours (rule-based)
  • Application-specific access: Within 24 hours (may require approval)
  • Full access ready: Before employee’s first day

Mover — Identity Changes

When an employee changes roles, departments, or locations, their access must be updated to reflect their new responsibilities.

Mover EventActions RequiredRisk If Not Done
Department transferRevoke old department access, grant new department accessEmployee retains access to old department data (unnecessary access)
PromotionGrant additional roles/permissionsEmployee lacks tools to perform new role
Location changeUpdate based on new location (legal entity, data residency)Compliance violation (data access from unauthorised location)
Contractor extensionExtend account expiry dateAccount disabled prematurely
Status change (full-time → part-time)Adjust role assignments to reflect reduced scopeExcessive access for reduced role

Mover complexity: Department transfers are the most complex mover event because they require coordinated revocations AND new grants. The revocation gap (time between old access removed and new access granted) must be minimised.

Leaver — Identity Removal

When an employee leaves the organisation, all access must be promptly and completely removed.

Leaver TypeAccount ActionAccess ActionData Action
Voluntary resignationDisable at end of notice periodRevoke access immediately or at departure dateArchive data, forward email, transfer files
Involuntary terminationDisable immediatelyRevoke access immediately, rotate any known credentialsPreserve data for legal hold, initiate handover
RetirementDisable, convert to alumni statusRevoke most access, retain limited alumni accessArchive personal data per retention policy
Contractor endDisable on contract end dateRevoke all accessRemove data per contract terms

Leaver SLA targets:

  • Involuntary termination: Account disabled within 5 minutes (automated)
  • Voluntary resignation: Account disabled at end-of-day on departure date
  • Access removal: Within 1 hour of account disablement (propagation across all systems)
  • Credential rotation: Immediately (especially for privileged accounts)

Danger

The leaver process is the most critical lifecycle event. An analysis of data breach reports shows that former employee accounts are involved in 30% of insider threat incidents, and accounts that should have been deactivated are often used months or years after departure. Automate leaver deprovisioning — never rely on manual processes.

Lifecycle Automation Architecture

HR System (System of Record)
│ Employee record changes (hire, transfer, termination)
IGA Platform
├── Policy Engine: Determine required actions based on role model
├── Workflow Engine: Execute provisioning/deprovisioning sequences
└── Reconciliation: Verify actions completed successfully
├── AD / Azure AD (identity store)
├── SaaS Apps (SCIM provisioning)
├── On-prem Apps (agent-based provisioning)
├── PAM System (privileged account lifecycle)
└── CMDB (update configuration records)

Key Integration Points

IntegrationProtocolPurposeCriticality
HR → IGAAPI, SFTP, JDBCIdentity feed — employee recordsCritical
IGA → ADLDAP, PowerShell, SCIMAccount creation, group membershipCritical
IGA → SaaSSCIM 2.0User provisioning in cloud appsHigh
IGA → PAMREST APIAutomated privileged account lifecycleMedium
IGA → CMDBREST API, webhookUpdate asset records with identity dataLow

Entitlement Lifecycle

Entitlements — the specific permissions assigned to users — also have a lifecycle that must be governed:

Lifecycle StageDescriptionGovernance Control
RequestUser requests entitlement through self-service portalBusiness justification, manager approval
ApprovalEntitlement request is approved or deniedApproval workflow, policy evaluation
ProvisioningEntitlement is granted in target systemAutomated provisioning (SCIM, agents)
ActiveUser has and uses the entitlementPeriodic review, usage monitoring
ReviewEntitlement is reviewed during access certificationManager certifies or revokes
RevocationEntitlement is removedAutomated deprovisioning, verification
ArchiveHistorical record retained for auditImmutable audit log

Lifecycle Challenges and Solutions

ChallengeImpactSolution
Incomplete HR dataManual processing, delayed provisioningHR data validation rules, data quality dashboards
Delayed HR feedsStale identities, access before systems are readyReal-time API integration (not batch files)
SaaS application proliferationUnmanaged shadow IT applicationsCloud discovery, SCIM where available, agent-based for others
Leaver detection failureOrphan accounts persistRegular reconciliation, manager-attested account lists
Complex mover rulesInconsistent access changesRule-based provisioning with clear if-this-then-that logic
Rehire handlingAccumulated old permissionsRehire policy — treat as new joiner with a fresh identity

Lifecycle Metrics and KPIs

MetricTargetWhat It Measures
Joiner provisioning time< 1 hour for base accessSpeed of access grant for new employees
Termination deprovisioning time< 5 minutes for involuntarySpeed of access removal for terminated employees
Orphan account rate< 1% of total accounts% of accounts with no associated active employee
Provisioning accuracy> 99%% of provisioning actions completed without error
Automation rate> 90%% of lifecycle events handled automatically versus manually
Reconciliation frequencyDailyHow often actual access is compared to intended access

Key Takeaways

  • Identity Lifecycle Management governs the joiner/mover/leaver (JML) process — how digital identities are created, updated, and removed across the enterprise
  • The joiner process should be fully automated from HR system trigger through account creation and role assignment, with base access ready before the employee’s first day
  • The mover process is the most complex lifecycle event, requiring coordinated revocations and grants — especially during department transfers
  • The leaver process is the most critical — automate immediate account disablement for involuntary terminations and ensure complete deprovisioning within 1 hour
  • Entitlement lifecycle governs permissions from request through provisioning, active use, review, and revocation — each stage requires specific governance controls
  • Lifecycle automation depends on well-integrated systems (HR → IGA → AD → SaaS → target systems) with real-time API integration preferred over batch files