Joiner Mover and Leaver (JML) is a bedrock for any effective and well-functioning identity lifecycle program. Well thought out JML processes improve better ROI of an organizations time and money invested, reduces risk, and increases end user productivity. We'll take a closer look at these three stages and how automation can help streamline and simplify the user lifecycle.
User Lifecycle Management – a Primer
User lifecycle management (ULM) is what happens to a user from joining an organization, moving within the organization, and upon leaving.
Joiner: Applications, resources, and privilege a user gets when they join an organization
Mover: When a user moves within an organization due to job change, manager change, a re-org, etc.
Leaver: When a user resigns or terminated or goes for a long term leave of absence
These three distinct stages, also called JML (Joiner, Mover, Leaver) define what a user gets access to, what happens with events such as re-org, job change, or termination. The enablement of these stages is called user access provisioning and de-provisioning. The provisioning and de-provisioning can be manual, semi-manual, or some degree automated. More automation of these stages means less manual effort, lesser issues/delay, smooth end user experience, lesser costs, improved user productivity, better governance, and improved risk management.
Joiner Stage: Organizations increasingly have more and more applications and entitlements of that a user should get access to for their day-to-day job duties. These accesses are usually granted manually by the IT team, which can be a time-consuming process, especially for large organizations. This puts IT teams under pressure of how quickly a newly on boarded user by HR gets access to their required resources to be productive. At times, the number of access that a newly on-boarded user require could go up dozens plus, and if not automated can result in a lot of burden on IT teams to manually provision a user correctly and timely. Identity Governance solutions can help automating most JML functions. With a well-defined automated JML processes supported by effective HR policies (more in a bit) can help reduce costs, achieve compliance, provide actionable analysis of data, and greatly reduce risks.
How to Define Effective Joiner Process? The first thing is to think about is birthright access. Birthright access is the collection of entitlements that a certain user type would get based on who they are (e.g. employee vs contractor vs vendor), where they belong (e.g. department or business function), and what they get (e.g. entitlement 1 through N) in various applications. We recommend starting with group of entitlements as birthright access, measure its effectiveness and then turning the group of entitlements into role to practice role based access control (RBAC).
Mover Stage: During the Mover stage of the user lifecycle, when an HR event, such as user changes roles or departments within the organization or their manager changes, etc., the process of granting, reviewing, or revoking access privileges kicks in. During this stage, the user’s access needs to be updated to reflect their new role or department, and any access that is no longer required needs to be revoked without automation, and such actions require the new manager. Often, they don’t find time to ensure non-essential access is requested to be removed or an application team doesn’t remove the access within a required SLA. This result in a user continue to accumulate accesses they no longer have need for and more importantly , it increases the risk for the organization especially if the user has critical application accesses.
Leaver Stage: The Leaver stage is the third stage of the user lifecycle and involves the process of revoking access privileges when an employee leaves the organization. During this stage, access needs to be revoked promptly to ensure that the employee can no longer access any sensitive or confidential information. When a user is terminated or leave an organization, it is critical to remove their access to any and all applications in timely manner. Many organizations rely on simply disabling a terminated (both voluntary and non-voluntary) users ability to login and move on. This result in the terminated users access continue to stay/linger resulting in increased risks and costs due to non-utilized licenses that continue to cost the organization. In some cases, users’ accesses is removed in some applications but not others giving rise to orphan accounts.
How Do Organization Get JML Wrong? Why Does It Fail?
For being effective and getting the JML processes right, it requires planning, communication, proper resources, training, and most importantly, the technology and processes that are consistently followed. What is equally important is the Organization Change Management (OCM) for adaptation and enablement. Here are some factors that we have seen that contribute to lack of well-defined JML processes and its implications:
1. Lack of Planning: Top down consistent messaging and stakeholder agreement to enforce common JML processes across the departments and business units is key to ensuring no skirting away from common processes or “shadow-IT” approach. Failure to having a plan that is agreed, enforced, and followed upon results in leaders across organizations following their own ways, leading to mistakes and increased risks.
2. Communication Issues: Having a plan and then not communicating to collect feedback and making changes to the plan results in communication failure that causes a siloed understanding and no RACI (roles, responsibilities and expectations) models. This is one of the most critical mistakes that result in inflated costs, budget overruns, under achieving of business objectives, and lost enthusiasm for the effective adaptation of JML processes
3. Lack of Resources: JML processes definition, understanding, and its implementation via a technology solution (or even manually) requires a well-qualified and trained staff. Organizations failing to have the right team or not providing training to its technical staff and end-users results in the inability of adapting to the technology, incorrect understanding of processes, and incorrect implementation of those processes. This leads to higher risk, compliance failure, and management/end-user fatigue.
4. Lack of Technology Adoptation: User lifecycle managements and JML processes are the foundation to any organizations day to day functioning. Many organizations still rely on manual processes for managing JML or avoid fully realizing a solution that they have purchased. Manual approaches to a business critical set of processes are inefficient, time consuming, slow, and more likely to having gaps/error which increases costs, risk, and leads to compliance failure.
5. Minimal to no Organizational Change Management: JML processes are both “behind the scenes” and visible. Organizations are realizing the importance of OCM to both communicate and train its users and also to collect feedback to ensure JML processes and its implementation remain relevant. Failures to adapt and train results in inefficient processes that are no longer relevant.
Effectiveness of the Automated JML
The manual steps and inefficiency can be easily addressed by automating the JML process via one of the Identity Governance solutions from leading providers. Once JML processes are defined, the identity governance solution can take a trigger from HR for new hire event and can assign all birthright access to multiple applications without any manual steps or anyone approving the access. This greatly reduces the onboarding time for a user to be productive as they can have access to the required job relevant accesses on day-1 vs weeks. Likewise, automated joiner processes and technology solutions allow rapid rollouts for organization wide changes (e.g. new benefit portal or VPN access etc.).
Automated JML processes also result in effective analyses of who has access to what, dashboards of real time queue of pending requests, and other actionable insights. Automation result in the ability to delegate access easily in cases of leave of absence, collaboration with external partners and more.
Cost benefits of automated removal of access due to termination can save a lot of money to an organization. This is often an overlooked benefit of investing in an identity governance solution.
Automation helps with governance via automated access certifications that require managers, application owners, and entitlement owners to review, and decide on each user having right access to do their job and remove non-required access. This helps organizations to stay compliant, reduce risk related to orphan accounts & access and reduce risks.
How CredenceIA Can Help?
CredenceIA Consulting’s team comprised of highly experienced resources help clients in assessing and streamlining their existing JML processes so that the clients can avoid pitfalls discussed above. A dedicated team with experience across IGA offerings (from legacy solutions to current/next generation SaaS solutions) have breadth and experience that helps with well calibrated approach that show the results. Automating JML helps reduce risk, increases organizations maturity, helps organization maintain strong security and achieve better insights into user’s access all while reducing costs. With JML automation, organizations can improve the efficiency and security of their user lifecycle management processes, ensuring that their employees have the access that they need to be productive while maintaining the security and integrity of organizations systems and data.