• Download a trial
  • Sales
  • Support
  • Login
logo
  • Home
  • Products
  • Solutions
  • Partners
  • About Us
  • Consulting
  • Resources
Request a Quote
  • Workforce Identity
  • Customer Identity
  • Comparison
  • Subscriptions

All Features

Overview of all features in Workforce Identity

User Onboarding and Offboarding

Automate joiner, mover, leaver processes

Access Request

Access requests with multi-step approvals

User Access Reviews

Save time with user access reviews

Self-Service Portal

Self-service portal for all end user activities

Segregation of Duties

Detect and remediate SoD violations

Password Management

Enforce password policies and enable synchronization

Single Sign-On (SSO)

Enable SSO using standards - SAML, oAuth, OIDC

Authentication and MFA

Improve security with adaptive authentication and MFA

3rd Party IdP Integration

Integrate with your existing identity provider

Integration API

Use the REST API to add identity into your applications

Connector Library

Integrate on-premise and SaaS applications

Modern Architecture

Microservice architecture that supports deployment using RPM, Kubernetes or OpenShift

Workforce Identity Concepts

All Features

Overview of all features in Customer IAM

Authentication and MFA

Improve security with adaptive authentication and MFA 

Single Sign-On (SSO)

Enable SSO using standards - SAML, oAuth, OIDC

Password Management

Enforce password policies and enable synchronization

Modern Architecture

Microservice architecture that supports deployment using RPM, Kubernetes or OpenShift

Customer Identity Concepts

Community vs Enterprise

Summary of the differences between the Community and Enterprise editions

Subscription Benefits

Overview of the benefits provided by an OpenIAM subscription

  • Integrations
  • Verticals
  • Workforce Use Cases
  • CIAM Use Cases
  • Compliance
  • Data Breach Mitigation

Active Directory

Azure (O365)

SAP

SAP SuccessFactors

Workday

AWS

Linux Server

LDAP

Microsoft SQL Server

Google Cloud

Windows Server

Oracle EBS

ServiceNow

SAP Fiori

Oracle Fusion

Entra ID

Salesforce

Keycloak

Custom Applications

Education

Manage identity for students, staff and alumni

Financial Services

Address the compliance and security challenges of the financial sector

User Access Requests

Empower end users and improve compliance with user access requests

Strong Authentication

Improve security with adaptive authentication and MFA

Single Sign-On (SSO)

Improve customer experience with SSO

NIS2

Achieve compliance with the EU directive for cybersecurity frameworks.

DORA

Comply with the Digital Operational Resilience Act for the EU.

HIPAA

For healthcare organizations seeking HIPAA compliance.

PCI DSS

Compliance with the Payment Card Industry Data Security Standard

SOC 2

Solutions for organizations subject to SOC 2 audits

GDPR

Take advantage of OpenIAM to comply with the General Data Protection Regulation

Social Engineering Attacks

  • Partners

Current Partners

Our Current Partners

  • About Us

About OpenIAM

Learn about OpenIAM

Press Releases

References to OpenIAM press releases

OpenIAM in the Media

References to OpenIAM in the media

Careers

Learn about open positions at OpenIAM.

  • Consulting

Proof of Value

Customized engagement to confirm defined proof of value objectives

Jump Start

Customized engagement to rapidly deliver a solution into production

Solution Implementation

Engagement with the objective to deliver a complete IAM solution based on customer requirements

  • Resources

Videos

Collection of videos describing how OpenIAM can be used to solve common use cases

Community Portal

Collaborative community portal to learn more about OpenIAM

CE Documentation

Documentation for the Community Edition

Blog

Musings on identity penned by the OpenIAM team

Webinar Calendar

Upcoming webinars and training sessions

Workforce Identity Concepts

Customer Identity Concepts

What Is the Joiner–Mover–Leaver (JML) Lifecycle?

Understanding the Joiner–Mover–Leaver Lifecycle

The Joiner–Mover–Leaver (JML) lifecycle defines how identities are created, updated, and removed as people join, change roles, or leave an organization.

It’s the backbone of Identity Governance and Administration (IGA) — ensuring that access always matches a user’s role and employment status.

The JML lifecycle ensures that people have the right access, at the right time, for the right reasons — and nothing more.

Why JML Matters

Manual lifecycle management leads to delays and risk:

  • New hires wait for accounts.
  • Movers accumulate excessive privileges.
  • Leavers retain orphaned accounts that create audit findings.

Automating the JML process ensures:

  • Immediate Day-1 access.
  • Automatic updates when roles change.
  • Instant revocation upon termination.
  • Full audit evidence for every change.

The Three Stages of the JML Lifecycle

Stage  Description  Key Automation Goals 
Joiner  A new identity enters the organization (employee, contractor, or partner).  Automatically provision accounts and assign appropriate roles and access. 
Mover  The person changes departments, roles, or projects.  Adjust access dynamically; remove old privileges and apply new ones. 
Leaver  The person departs or no longer needs access.  Automatically disable or remove access across all systems. 

Each stage has distinct governance requirements — together they form a complete identity lifecycle.

Handling Edge Cases: Rehires, Contractors, and Seasonal Workers

Not every identity follows a clean JML path.

Organizations regularly manage rehired employees, long-term contractors, and seasonal staff, each with unique lifecycle challenges:

  • Rehires → When former employees return, OpenIAM detects rehire events and can reactivate or rebuild accounts safely — removing old entitlements and applying only current access.
  • Contractors → These users often originate from different sources (vendor systems, partner directories). OpenIAM integrates multiple authoritative feeds so contractor identities are governed just like employees.
  • Seasonal or Temporary Workers → Accounts can be automatically suspended and reactivated based on employment dates — no need to delete and recreate each cycle.

OpenIAM’s lifecycle engine handles every variation of workforce identity — joiners, movers, leavers, rehirers, and seasonals — with the same level of automation and auditability.

1. Joiner: Automated Provisioning 

When a new hire or contractor joins, automated provisioning ensures access is ready from Day 1.

How It Works

  • Integrates with HR or source systems (Workday, SuccessFactors, ADP).
  • Evaluates attributes (department, location, title) to assign birthright access.
  • Provisions accounts through connectors or APIs across AD, email, and business apps.
  • Creates ITSM tickets (ServiceNow, Freshservice) for non-connected systems.

Benefits

  • Instant, policy-driven access for new hires.
  • Consistent role assignments across applications.
  • Reduced manual effort and fewer errors.
  • Complete audit trail for provisioning events.

2. Mover: Dynamic Access Adjustment 

As roles change, OpenIAM automatically:

  • Updates entitlements based on new attributes.
  • Removes outdated permissions.
  • Adds new access aligned to current responsibilities.
  • Performs SoD checks to avoid conflicting privileges.

Automation prevents privilege creep and keeps access aligned with each person’s current job function.

3. Leaver: Automated Deprovisioning 

When someone leaves, OpenIAM ensures immediate deactivation.

How It Works

  • HR termination event triggers deprovisioning workflows.
  • Connectors disable or delete accounts in connected systems.
  • ITSM tickets are generated for manual removals.
  • Nightly reconciliation verifies completion and records timestamps.

Benefits

  • No orphaned accounts or lingering privileges.
  • Reduced insider risk and audit findings.
  • Closed-loop tracking for every account removal.

Core Enablers of JML Automation in OpenIAM

Capability  Description 
Source Integration  Connects to HR, contractor, and partner systems to detect all identity events. 
Business Rules Engine  Defines birthright access and termination logic without custom code. 
Role & Attribute Policies  Drive consistent, context-aware access decisions. 
Connectors & APIs  Automate account creation and removal across cloud and on-prem apps. 
Reconciliation  Detects discrepancies and auto-remediates orphaned access. 
ITSM Integration  Creates and closes tickets for hybrid fulfillment processes. 
Audit & Reporting  Provides real-time visibility into every JML event. 

 


Example: End-to-End JML Automation

  1. Joiner → HR creates a new record; OpenIAM provisions AD and email accounts and opens a ServiceNow ticket for hardware setup.
  2. Mover → User transfers to Finance; OpenIAM revokes marketing rights, adds finance entitlements, and runs SoD checks.
  3. Leaver → HR termination event triggers account deactivation and ticket closure.
  4. Rehire → If the same user returns later, OpenIAM reactivates accounts safely and applies current roles only.
  5. Reconciliation → Nightly process verifies all changes and updates audit logs.

Result: continuous, closed-loop identity governance.

Benefits of Automating the JML Lifecycle

  • Speed & Efficiency — Instant onboarding and real-time updates.
  • Accuracy & Security — Eliminate privilege creep and stale accounts.
  • Compliance & Auditability — Evidence for every provisioning and termination event.
  • Hybrid Support — Works across connected and ticket-based systems.
  • Scalability — Manages employees, contractors, and seasonal workforces at scale.

Automated JML governance gives organizations control and confidence throughout the entire identity lifecycle.

OpenIAM’s Approach to JML Automation

  • Integrates with HR, contractor, and partner sources.
  • Uses business rules to drive policy-based provisioning and deprovisioning.
  • Automates through connectors and APIs or via ITSM tickets for manual steps.
  • Continuously reconciles identity data for accuracy and audit readiness.
  • Provides a single governance platform covering all identity types and lifecycle events.

With OpenIAM, every Joiner, Mover, Leaver, or Rehire event is captured, executed, and auditable — ensuring security and compliance without sacrificing speed.

← Back to Identity Lifecycle Management

Related Concepts

  • Birthright Access
  • Just-in-Time Provisioning
  • Reconciliation
  • Automated Provisioning
  • Automated Deprovisioning
  • Workforce Identity Concepts

Let’s Connect

Managing identity can be complex. Let OpenIAM simplify how you manage all of your identities from a converged modern platform hosted on-premises or in the cloud.

For 15 years, OpenIAM has been helping mid to large enterprises globally improve security and end user satisfaction while lowering operational costs.

Download a Trial Contact Sales
footer-top-logo
openIAM-white-logo

All modules of our IAM platform share a common infrastructure allowing customers to see one unified identity solution versus a collection of disparate products.

  • linkedin-icon
  • facebook-icon
  • twitter-icon
  • youtube-icon

sales@openiam.com

(858)935-7561

Copyright © 2025 OpenIAM. All rights reserved.
  • Privacy Policy