Protecting your assets, resources, and data starts with securing identities and managing authorization. This isn’t a one-and-done activity. Rather, it follows a lifecycle as identities, access requirements, and risk factors change. An identity’s lifecycle is typically broken down into three high-level access provisioning events: Joiner, Mover, and Leaver.
In this blog, you’ll learn the fundamentals of managing the Joiner, Mover, Leaver process so you can make sure people have the access that they need to assets, resources, and data, when they need it, and remove their access when it’s no longer required.
Defining Joiners, Movers, and Leavers
An identity’s lifecycle encompasses all the permissions or access that need to be provisioned, approved, tracked, and managed. Let’s take a look at each of the three stages of an identity’s lifecycle: Joiner, Mover, and Leaver.
What are Joiners?
Joiners are identities, human or machine, that join your organization and need access to resources. These could be new employees who have just been hired, customers who have registered on your website, or contractors or third parties who need access to your systems and resources.
The Joiner event begins when a new employee joins the organization and their record is created in the organization’s HR system. This record includes key details such as name, start date, department, and job title, and serves as the trigger for downstream identity processes. IT is then notified so a digital identity can be created—typically by setting up an Active Directory (AD) account and assigning login credentials.
From there, user accounts are provisioned across the systems and applications the individual will need based on their role. This may include email, collaboration tools, and business applications specific to their department. The goal of the Joiner process is to ensure new employees have the right access on Day One so they can be productive from the start.
To learn more about the Joiner's onboarding process, check out our Onboarding Checklist.
What are Movers?
Movers are identities that are changing in some material way from how they were initially provisioned. For an employee, this could be a promotion, departmental transfer, or temporary project assignment. When this happens, employee access needs to evolve to reflect their new responsibilities, and it’s up to their manager to request adjustments. IT and business application owners then provision access to new systems and applications relevant to the role.
Without oversight, user permissions can increase unintentionally over time, a process commonly known as "privilege drift" or "access creep."
This refers to the situation where users and accounts accumulate access rights they no longer need for their job role or function, exceeding the Principle of Least Privilege. This can happen for various reasons, including:
Job changes and promotions: When employees change roles or are promoted, their previous permissions for an application or cloud platform might not be revoked, leading to accumulated privileges.
Project-based access: Perhaps an employee or third-party consultant is moving to a different project and needs access to new systems or resources. Permissions granted for specific projects or tasks may not be removed after the project concludes.
What are Leavers?
Leavers are identities that move on from your organization. A Leaver could be an employee who is retiring or taking a new job elsewhere, or a third-party vendor who has been replaced.
The Leaver stage marks the end of the identity lifecycle. At this point, it’s essential to fully disable the employee’s access—not just to core systems like AD, but also across all applications and services they used during their time with the company. This includes deactivating accounts, revoking permissions, and ensuring data access is fully cut off. This is especially important in situations such as unexpected downsizing or organizational changes to avoid situations in which unhappy former employees retain access and pose potential threats.
When accounts aren’t properly deactivated after someone leaves, they can be forgotten and left active, creating orphaned accounts. These active credentials without an owner pose a serious security risk.
To learn more about the Leaver's offboarding process, check out our IT Offboarding Checklist.
What’s the risk of mishandling permission for Joiners, Movers, and Leavers?
Without strong management of all types of identities through their lifecycle, risks from external and internal threats abound. User identities are often overprovisioned with broad-standing access to resources, whether they truly need them or not, regardless of job function. Overprovisioned access can allow bad actors or employees to access data or execute inappropriate transactions, potentially leading to fraud.
| Provisioning Stage | Risks |
| Joiners |
Joiner risks stem from fragmented processes and manual handoffs. Business decisions to hire Joiners generally go through the Human Resources (HR) department. The IT team relies on manual notifications from HR to create digital identities and provision access for new hires. When done manually, this can be time-consuming for a busy IT department, and if there are large numbers of users to manage, the overhead quickly builds up. Typically, users need access to multiple applications to do their job, but IT doesn’t always have the context to determine what access is needed. Often, IT makes a ‘best guess’ or copies access from another user from the same department. This can be a dangerous approach, leading to users gaining more access than they need. Employees without correct access on the first day of their new job are not only less productive than they could be, but their morale also suffers, which sets them up for a poor start. |
| Movers |
Teams may shift individuals’ responsibilities or job roles frequently, particularly in a matrixed or Agile organization. Movers may need access to resources only for a brief period, which can be cumbersome for business teams waiting on IT to provision or reprovision access. At the same time, there is no way for IT to know when access requirements change unless the business or HR tells them. |
| Leavers |
Leavers can happen suddenly. Layoffs often happen quickly, giving HR and IT departments little time to prepare for a smooth and safe offboarding process, including the critical need for accurate and complete deprovisioning of users and identities. Third-party Leavers may end their projects, but the organization may believe they will use that contractor again for a future project, so instead of revoking access permissions, they leave them in place to save onboarding time in the future. When Leavers aren’t managed carefully, risks of insider threats and cyberattacks increase along with compliance and privacy violations. It's been reported that around a quarter of employees still have access to company data from past employers. |
For all these reasons, provisioning, re-provisioning, and de-provisioning processes are critical to ensure all identities have access to only the resources they require in accordance with the Principle of Least Privilege.
How to streamline provisioning and deprovisioning for Joiners, Movers, and Leavers
You can’t have a strong security posture without a robust Identity Lifecycle Management (ILM) solution and associated controls to ensure identities have the right access to the right resources, at the right time. Automating ILM lowers the risk related to over-provisioning identities to help protect your company’s critical assets, data, and applications.
Using a variety of solutions to request access is time-consuming, prone to errors, and often leads to provisioned access being in place long after someone has moved into a new role or left the company. You can replace manual or multi-solution provisioning processes with an automated, end-to-end solution for managing Joiners, Movers, and Leavers through a single platform integrated directly with your HR system.
When choosing a solution, look for one that is easy to use, quick to implement, and shows rapid ROI.
JML best practices as part of identity security
Along with authentication and authorization, Identity Governance and Administration (IGA) is an essential component of identity security. By managing Joiners, Movers, and Leavers with an automated IGA solution throughout the identity lifecycle, you ensure users and identities are provisioned accurately and efficiently from the start of their relationship with your organization and as their roles, access requirements, and associated risks inevitably change.
Here are answers to commonly asked questions regarding the Joiner, Mover, Leaver process:
For Joiners:
Q: What are the best practices for day-one access provisioning?
A: To get new users up and running securely on day one, start with an automated Identity Lifecycle Management solution that integrates directly with your HR system. By applying centralized policies based on identity type—like employee or contractor—you can automatically assign birthright access, the baseline permissions and resources they need based on their role within the organization. Access control models (RBAC, ABAC, PBAC) enforce the principle of least privilege, ensuring that identities have only the necessary access to perform their job function.
Q: How can IT avoid delays in setting up proper access?
A: Getting the Joiner stage right sets the tone for a secure and efficient employee experience. When onboarding a new employee, integration with your HR system, birthright access, attribute-based access policies, and automated access provisioning ensure that employees have access to what they need from the start. So, automating this step not only saves time but also reduces manual errors and supports compliance goals.
For Movers:
Q: How can organizations effectively manage the Mover stage in Identity Lifecycle Management?
A: As employees move between roles or departments, their access to systems and applications needs to evolve with them. Updating permissions and removing access that is no longer needed is key to preventing overprovisioning. Automating these updates ensures that access adjustments happen consistently, keeps access aligned with business needs, and improves audit readiness.
Q: How do you detect when an employee has changed roles if HR doesn’t notify IT?
A: Sometimes the responsibility for notifying IT of job changes falls on HR, but often HR does not have the context for what access the employee needs, and this could be the responsibility of the employee’s manager. With multiple parties and handoffs, IT may not be proactively notified. The best approach is to monitor for indicators of role changes using connected systems. Integrating an identity lifecycle management solution with your HR and directory systems enables automated detection of updates to a user’s title and department.
For Leavers:
Q: How can IT ensure all credentials (including SaaS logins) are revoked immediately?
A: When somebody leaves the company, access needs to be shut down immediately. The best practice for managing Leavers is to automate the de-provisioning process. When offboarding is triggered from your HR system, automated workflows should cascade across all connected systems and revoke access instantly, including single sign-on (SSO), directory accounts, and direct SaaS logins. This reduces the risk of lingering access in orphaned accounts and supports both security and audit requirements.
Q: What are best practices for handling Leavers on short notice or termination?
A: For high-risk or immediate terminations, IT should be part of the offboarding workflow from the start, alerted by HR. Automated de-provisioning helps ensure access is revoked instantly and consistently across all systems. Predefined playbooks for different termination scenarios can help speed up response and reduce errors. The goal is to shut down access before the employee has an opportunity to misuse it, not hours or days later.
For Third Parties:
Q: How should temporary access for contractors be provisioned and expired?
A: Contractor access should be provisioned using time-bound, role-based policies with clear start and end dates. Using an automated Identity Lifecycle Management solution ensures that contractor access is automatically revoked when the contract ends, with no manual cleanup required. This approach limits risk while making oversight simpler for IT and security teams.
Q: How do you prevent orphaned or zombie accounts from ex-vendors?
A: Third-party vendor identities should be included in the same process you use for internal users for full Identity Lifecycle Management. That way, every third-party account tied to a contract or business sponsor is automatically disabled when the relationship ends. Automation lifecycle management prevents unused or stale accounts from slipping through the cracks, along with conducting regular access reviews.
For IT and security teams:
Q: What are the red flags that indicate a weak JML process?
A: The most critical red flag is if users have access to systems they no longer need or never should have had. Other signs include manual provisioning, inconsistent offboarding, orphaned accounts, delayed access changes, and lack of visibility into who has access to what. These gaps not only create security risks, but also make audits painful and expose the organization to compliance failures. If you’re relying heavily on spreadsheets or tickets to manage access for Joiners, Movers, and Leavers, it’s time to reevaluate.
Q: How does Identity Lifecycle Management demonstrate compliance to auditors?
A: Identity Lifecycle Management helps with regulatory compliance by certifying that the right individuals have the access they need, at the right time. This addresses the requirements of regulations like GDPR, SOX and HIPAA, which mandate strict control over sensitive information. An Identity Lifecycle Management solution automatically logs all identity-related activities, providing the audit trails necessary for regulatory compliance.
Q: How can I justify an investment in an identity security platform for JML to leadership?
A: Start by framing JML as a business risk, not just an IT task. Identity gaps lead to breaches, audit failures, and lost productivity. Highlight how automation reduces manual workload, speeds up onboarding, and eliminates costly errors like overprovisioning or missed de-provisioning. Show how an automated identity lifecycle solution improves security posture, strengthens compliance, and supports a Zero Trust strategy.
Q: Who typically owns and manages an Identity Lifecycle Management solution within an organization?
A: When it comes to managing an Identity Lifecycle Management solution, ownership typically sits with the IT Security or Identity Management team. Compliance teams, HR, and business application owners are often stakeholders for role design and approvals. A successful deployment will depend on cross-functional collaboration.
Finally, remember to check out our IT Offboarding Checklist and Onboarding Checklist for downloadable best practices PDFs to help you reduce risk and make your identity management processes more efficient.
To learn more about Identity Lifecycle Management on the Delinea Platform, check out the interactive demo.
