Overview
Identity Lifecycle Management (ILM) is the automation of creating, updating, and removing user identities and their access as people join, move through, and leave an organization. The industry shorthand is Joiner–Mover–Leaver (JML).
The goal is simple: every identity should have the right access at the right time—no more, no less. In practice, this is hard because organizations are messy: HR records lag, job titles don't map cleanly to access needs, exceptions pile up, and nobody wants to be the reason a new hire can't work on day one or a terminated employee still has access.
A mature lifecycle program delivers fast onboarding (hours, not days), timely revocation (minutes, not weeks), and an auditable trail of why access was granted or removed. An immature one is a patchwork of tickets, manual provisioning, orphan accounts, and audit findings.
Architecture
Reference Pattern: HR-Driven JML
The standard architecture relies on HR as the authoritative source triggering downstream actions in the IGA platform, which then synchronizes with the identity store and target applications.
Pattern Descriptions
- HR-Authoritative Pipeline: HR system (Workday, SuccessFactors) pushes changes to IGA.
- Joiner: New record triggers "birthright" access based on attributes (Dept, Location).
- Mover: Attribute changes trigger re-evaluation. New access is added; old access is flagged for removal/review.
- Leaver: Termination date triggers immediate disablement of accounts and session revocation.
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Authoritative Source | HR system, AD, Hybrid | Single HR system | Using AD as source creates circular dependencies. HR must be the master. |
| Unique Identifier | Email, Employee ID, UUID | Immutable Employee ID | Never use email as the primary key; it changes on marriage/name change. |
| Trigger Mechanism | Batch (Daily), Real-time | Real-time (Webhook/API) | Batch files lead to "day 1" delays. Real-time allows immediate termination. |
| Mover Logic | Add-only, Full-replace | Delta + Certification | "Add-only" causes privilege creep. "Full-replace" disrupts work. Use delta updates and trigger a review for the rest. |
| Contractor Lifecycle | HR system, Separate DB, Manual | IGA-managed w/ Sponsorship | Contractors need explicit sponsors and hard expiry dates. |
Implementation
Phase 1: Foundation (Joiner/Leaver)
- Integrate HR feed (even if flat file initially).
- Define "birthright" access for all employees (Email, Intranet).
- Automate AD account creation and disablement.
- Goal: 100% automated account creation and termination for standard employees.
Phase 2: Refinement (Mover)
- Map job codes to roles for role-based provisioning.
- Implement logic for transfers (keep email, change department shares).
- Handle attribute synchronization (title, manager, phone).
- Goal: Reduce helpdesk tickets for internal transfers.
Phase 3: Expansion (Contractors & Apps)
- Onboard non-employees with sponsorship workflows.
- Connect high-value applications (Salesforce, SAP) for direct provisioning.
- Implement "rehire" logic to handle returning employees.
- Goal: Full coverage of the extended workforce and critical apps.
Risks
- HR Data Quality: Garbage in, garbage out. If HR enters the wrong department, the user gets the wrong access.
- "Day 0" Changes: New hires often change roles before they start. The system must handle updates before the start date.
- Orphaned Accounts: If the IGA link is broken, an account might survive termination. Regular reconciliation is required.
- Leaver Failures: Termination scripts failing silently. Always implement a "safety net" report of terminated users with active accounts.
- Sponsor Apathy: Contractor sponsors ignoring renewal requests, leading to accidental lockouts.
KPIs
- Time-to-Provision: Average time from HR entry to active account availability (Target: < 4 hours).
- Time-to-Revoke: Average time from termination signal to access removal (Target: < 1 hour).
- Automation Rate: Percentage of lifecycle events handled without manual intervention (Target: > 90%).
- Data Quality Score: Percentage of user records with complete, valid attributes (Manager, Dept, ID).
