Identity Lifecycle Management

Overview

Identity Lifecycle Management (ILM) is the automation of creating, updating, and removing user identities and their access as people join, move through, and leave an organization. The industry shorthand is Joiner–Mover–Leaver (JML).

The goal is simple: every identity should have the right access at the right time—no more, no less. In practice, this is hard because organizations are messy: HR records lag, job titles don't map cleanly to access needs, exceptions pile up, and nobody wants to be the reason a new hire can't work on day one or a terminated employee still has access.

A mature lifecycle program delivers fast onboarding (hours, not days), timely revocation (minutes, not weeks), and an auditable trail of why access was granted or removed. An immature one is a patchwork of tickets, manual provisioning, orphan accounts, and audit findings.

HR-Authoritative Pipeline: HR system (Workday, SuccessFactors) pushes changes to IGA.
Joiner: New record triggers "birthright" access based on attributes (Dept, Location).
Mover: Attribute changes trigger re-evaluation. New access is added; old access is flagged for removal/review.
Leaver: Termination date triggers immediate disablement of accounts and session revocation.

Key Decisions

Decision	Options	Recommendation	Notes / Gotchas
Authoritative Source	HR system, AD, Hybrid	Single HR system	Using AD as source creates circular dependencies. HR must be the master.
Unique Identifier	Email, Employee ID, UUID	Immutable Employee ID	Never use email as the primary key; it changes on marriage/name change.
Trigger Mechanism	Batch (Daily), Real-time	Real-time (Webhook/API)	Batch files lead to "day 1" delays. Real-time allows immediate termination.
Mover Logic	Add-only, Full-replace	Delta + Certification	"Add-only" causes privilege creep. "Full-replace" disrupts work. Use delta updates and trigger a review for the rest.
Contractor Lifecycle	HR system, Separate DB, Manual	IGA-managed w/ Sponsorship	Contractors need explicit sponsors and hard expiry dates.

Implementation

Phase 1: Foundation (Joiner/Leaver)

Integrate HR feed (even if flat file initially).
Define "birthright" access for all employees (Email, Intranet).
Automate AD account creation and disablement.
Goal: 100% automated account creation and termination for standard employees.

Map job codes to roles for role-based provisioning.
Implement logic for transfers (keep email, change department shares).
Handle attribute synchronization (title, manager, phone).
Goal: Reduce helpdesk tickets for internal transfers.

Phase 3: Expansion (Contractors & Apps)

Onboard non-employees with sponsorship workflows.
Connect high-value applications (Salesforce, SAP) for direct provisioning.
Implement "rehire" logic to handle returning employees.
Goal: Full coverage of the extended workforce and critical apps.

Risks

HR Data Quality: Garbage in, garbage out. If HR enters the wrong department, the user gets the wrong access.
"Day 0" Changes: New hires often change roles before they start. The system must handle updates before the start date.
Orphaned Accounts: If the IGA link is broken, an account might survive termination. Regular reconciliation is required.
Leaver Failures: Termination scripts failing silently. Always implement a "safety net" report of terminated users with active accounts.
Sponsor Apathy: Contractor sponsors ignoring renewal requests, leading to accidental lockouts.

KPIs

Time-to-Provision: Average time from HR entry to active account availability (Target: < 4 hours).
Time-to-Revoke: Average time from termination signal to access removal (Target: < 1 hour).
Automation Rate: Percentage of lifecycle events handled without manual intervention (Target: > 90%).
Data Quality Score: Percentage of user records with complete, valid attributes (Manager, Dept, ID).

Identity Lifecycle Management

Overview

Architecture

Reference Pattern: HR-Driven JML

Pattern Descriptions