Managing user access within an organization is not a one-time task. It is an ongoing process that must evolve throughout each employee’s journey from their first day at work and any subsequent changes in position or responsibilities to the day they leave the organization.
This is why the Joiner–Mover–Leaver framework, commonly known as JML, has become a fundamental component of enterprise identity and access management.
JML is an approach to managing user identities and access rights throughout the employee lifecycle, often referred to as Identity Lifecycle Management. It consists of three main stages:
- Joiner: A new employee joins the organization.
- Mover: An existing employee changes position, team, manager, or responsibilities.
- Leaver: An employee resigns, completes a contract, or otherwise leaves the organization.
At every stage, organizations must ensure that access rights remain appropriate for each user’s employment status and responsibilities.
Without a clearly defined JML process, organizations may face problems such as excessive access rights, dormant accounts, privileges retained from previous roles, and security vulnerabilities that could be exploited to access critical systems and sensitive information.
Table of Contents
Why is JML Important?
The core principle of JML is to ensure that the right person receives the right access at the right time and only the level of access necessary to perform their role.
This is a fundamental principle of effective enterprise access management.
From a cybersecurity perspective, JML is more than an IT operations process or an HR onboarding workflow. It is an important security control that helps reduce the risk of identity-based attacks.
User accounts, access permissions, and credentials are common entry points used by attackers to access organizational systems. When identity lifecycles are not properly managed, inactive accounts, accumulated privileges, and inappropriate access can all become security vulnerabilities.
Examples include:
- An employee who moves from the finance department to another team but retains access to financial data.
- A contractor whose agreement has ended but whose VPN account remains active.
- A user who received temporary administrator access but continues to hold those privileges after they are no longer required.
Each of these situations increases the organization’s attack surface and the risk of unauthorized access.
A well-designed JML process reduces the risks associated with excessive or outdated access. It also improves operational efficiency by introducing automation, reducing manual work, and supporting compliance with internal policies and external requirements.
In addition, JML helps reduce human error and makes access governance more structured, transparent, and auditable.
Benefits of an Effective JML Process
A strong JML process helps organizations:
- Reduce risks caused by excessive, outdated, or inappropriate access.
- Prevent dormant accounts, ownerless accounts, and orphaned access.
- Reduce the identity- and credential-related attack surface.
- Improve operational efficiency through automation.
- Support compliance requirements and retrospective audits.
- Minimize human error caused by manual processes.
- Strengthen identity and access governance.
The Three Key Stages of JML
1. Joiner
The Joiner stage begins when a new employee enters the organization.
The organization must prepare the employee to work effectively from their first day while maintaining appropriate security standards.
Typical activities include:
- Creating a digital identity or user account.
- Assigning initial access based on the employee’s role, also known as birthright access.
- Granting access to the systems, applications, and resources required for the employee’s work.
- Applying authentication policies such as multi-factor authentication or risk-based access conditions.
At this stage, the HR system commonly acts as the authoritative source or single source of truth for employee information. This may include:
- Start date
- Job title
- Department
- Employment status
- Manager
When the HR system is integrated with an Identity and Access Management system, this information can be used as a trigger to create accounts and assign initial access automatically.
However, initial access must be designed carefully. Employees should not receive excessive access from their first day.
Access should be aligned with the user’s actual role and may be divided into two categories:
- Birthright access: Basic access automatically provided to everyone in a particular role or employee group.
- Request-based access: Additional access that must be requested and approved.
This model allows employees to begin working efficiently without compromising the principle of least privilege.
2. Mover
The Mover stage occurs when an employee changes position, moves to another department, reports to a different manager, or assumes new responsibilities.
Access rights must be adjusted systematically to reflect the employee’s new role.
This stage is sometimes overlooked because the employee remains within the organization. However, it is one of the stages in which access rights are most likely to accumulate beyond what is necessary.
Organizations should:
- Add the access required for the employee’s new role.
- Remove access that is no longer necessary.
- Review existing access before approving additional permissions.
- Use clearly defined approval workflows for high-risk access.
- Apply the principle of least privilege.
A common problem during the Mover stage is privilege creep.
Privilege creep occurs when employees retain access from previous positions as they move through multiple roles. Over time, users may accumulate significantly more access than they require for their current responsibilities.
This can become a serious cybersecurity risk, particularly if an account is compromised or used for an unauthorized purpose.
Effective Mover management is therefore not limited to granting new access. It must also include reviewing and removing outdated permissions.
Particular attention should be given to access involving:
- Sensitive information
- Financial systems
- Customer systems
- Cloud environments
- Privileged or administrator accounts
3. Leaver
The Leaver stage begins when an employee resigns, reaches the end of a contract, or otherwise ends their relationship with the organization.
At this stage, the organization must remove access completely and promptly to prevent inactive accounts or residual permissions from becoming security risks.
Typical activities include:
- Disabling or terminating all relevant user accounts.
- Removing access to VPNs, email, cloud applications, SaaS platforms, and internal systems.
- Revoking privileged and administrator access as a high priority.
- Transferring files, records, and ownership of organizational information.
- Verifying that no residual permissions or orphaned access remain.
- Reviewing related shared, service, and local accounts that may be associated with the departing user.
The Leaver stage is one of the most critical parts of the JML process from a security perspective.
An account that remains active after an employee has left can become a channel for unauthorized access.
When offboarding depends on manual notifications or requires accounts to be disabled individually across multiple systems, the process can become slow, inconsistent, incomplete, and difficult to audit.
Integration between HR and IAM systems therefore plays an important role.
When an employee’s HR status changes to terminated or contract completed, the system can automatically trigger the deprovisioning process. This reduces the risk of inactive accounts and enables the organization to close potential security gaps more quickly.
JML in the Context of IAM, IGA, and Identity Security
Although JML is frequently discussed in relation to onboarding, internal transfers, and offboarding, it is not a standalone solution.
It is a core process within Identity and Access Management, or IAM, and is also closely connected to Identity Governance and Administration, or IGA.
JML may be viewed as a use case spanning IAM, IGA, and Identity Security, depending on the organization’s objectives.
- When the focus is on authentication, authorization, provisioning, and deprovisioning, JML is closely associated with IAM.
- When the focus is on approvals, access certification, role models, auditing, and segregation of duties, JML is more closely associated with IGA.
- When the focus is on reducing identity-based attacks, credential misuse, privileged access risks, and abnormal access behavior, JML becomes part of the broader Identity Security strategy.
In practice, JML is not limited to provisioning and deprovisioning accounts.
It acts as an important connection point between access administration, access governance, and cybersecurity risk management. This helps organizations align operational efficiency, compliance, and security governance.
JML and Cybersecurity
Within cybersecurity, JML is a fundamental component of Identity Security.
Many modern attacks do not necessarily begin with the direct exploitation of a technical vulnerability. They may begin with:
- Stolen user credentials
- Accounts that remain active after employees leave
- Excessive privileges accumulated through internal role changes
- Inappropriate administrator access
- Unmonitored access to cloud applications or critical data
An effective JML process directly reduces the organization’s attack surface by ensuring that users hold only the access appropriate for their current roles.
When a user’s employment status or responsibilities change, their access must be adjusted or revoked completely and promptly.
This applies to:
- Standard user accounts
- Administrator accounts
- VPN access
- Internal applications
- Cloud platforms
- Sensitive organizational data
When JML works together with IAM and IGA, organizations can control access across the entire identity lifecycle—from account creation and permission assignment to approvals, reviews, and access termination.
A complete audit trail can also be maintained throughout the process. This makes security governance more transparent, auditable, and aligned with compliance requirements.
Key Elements of an Effective JML Process
Successful JML implementation depends on more than technology. It also requires clear principles, processes, ownership, and governance.
Organizations should consider the following elements.
Least Privilege
Users should receive only the access necessary to perform their responsibilities. Access that is no longer required should be removed promptly.
Automation First
Automated workflows should be used wherever possible to reduce manual work, minimize errors, and accelerate provisioning and deprovisioning.
Single Source of Truth
A reliable authoritative source, such as the HR system, should be used to trigger the creation, modification, and termination of user access.
Role-Based Access Control
Access should be structured according to job roles, responsibilities, departments, employment types, or other relevant attributes.
This helps standardize access management across the organization.
Request-Based and Time-Bound Access
Additional or high-risk permissions should require a formal request and approval workflow.
Temporary permissions should have clearly defined expiration dates and should be revoked automatically when they expire.
Access Reviews and Recertification
Access rights should be reviewed periodically.
Managers or system owners should confirm whether each user’s access remains necessary and appropriate for their current role.
Privileged Access Control
Administrator and privileged accounts require stronger controls than standard accounts.
Privileged access should be revoked immediately when a user changes roles or leaves the organization.
Segregation of Duties
Organizations should prevent individual users from holding combinations of access that create conflicts of interest or fraud risks.
For example, the same employee should not be able to create a vendor and approve payment to that vendor without independent oversight.
Auditability
Every access change should be traceable.
The organization should be able to determine:
- Who requested the access
- Who approved it
- When the access was granted
- When the access was changed
- When the access was revoked
Consistency
A consistent organization-wide standard should be used for identity and access management.
Individual departments should not apply conflicting or incompatible access practices.
Common JML Challenges
Although organizations increasingly recognize the importance of JML, many continue to face practical challenges.
Common issues include:
- Excessive dependence on manual processes.
- Limited integration among HR, IT, Security, and business applications.
- No clearly defined role model or access structure.
- No distinction between birthright, request-based, and temporary access.
- Insufficient visibility into users’ actual access rights.
- Irregular or incomplete access reviews.
- Inability to identify all privileged access and orphaned accounts.
- Incomplete audit trails for compliance reviews or forensic investigations.
These issues can make JML processes inconsistent and allow identity-related risks to accumulate over time.
Organizations seeking to improve JML must therefore consider process, governance, and technology together.
JML Metrics Organizations Should Monitor
To ensure that JML operates as an effective business and security process rather than simply existing as a written policy, organizations should define measurable performance indicators.
Useful metrics include:
- The time required to provision access for a new employee.
- The time required to deprovision a departing employee.
- The number of orphaned or ownerless accounts.
- The number of permissions revoked following access reviews.
- The number of access exceptions.
- The percentage of access provisioned through automated workflows.
- The number of active privileged permissions with no current business justification.
These metrics provide visibility into the actual condition of the organization’s identity lifecycle and support continuous process improvement.
Key Takeaways
JML is an essential process for managing employee identities throughout their entire lifecycle.
It directly influences organizational security, operational efficiency, and the quality of access governance.
Organizations that invest in a well-designed JML framework can improve collaboration among HR, IT, Security, and business teams while building a scalable foundation for future growth.
Ultimately, JML is an important security control that helps organizations manage identities and access rights securely, systematically, and transparently throughout the employee lifecycle.
How BMSP Can Strengthen Your JML Process
Organizations seeking to improve the security, consistency, and efficiency of their JML processes can benefit from Identity Security solutions provided by BMSP.
These solutions can support identity and access management across the entire user lifecycle from creating and modifying access to revoking permissions when they are no longer required.
They can also reduce reliance on manual processes while improving traceability and audit readiness.
BMSP can help organizations select, design, and implement suitable solutions, including IAM platforms and other Identity Security technologies, to support a comprehensive JML process.
Key capabilities may include:
- User account management
- Privileged access control
- Automated provisioning and deprovisioning
- Continuous access monitoring
- Periodic access reviews
- Access governance and audit reporting
These capabilities help ensure that each user has access appropriate to their role, responsibilities, and current employment status.
BMSP also offers flexible pay-as-you-go service models. This allows organizations to scale services according to their actual number of users, systems, and operational requirements.
As a result, organizations can plan and manage costs more effectively without investing in an oversized system at the beginning of the project.
This approach can also reduce the complexity of access management, improve coordination among HR, IT, and Security teams, and increase visibility into user accounts, access permissions, and the use of critical systems and information.
From a cybersecurity perspective, using BMSP Identity Security solutions to support JML can help reduce risks associated with:
- Dormant accounts
- Excessive permissions
- Inappropriate access
- Orphaned access
- Privileged account misuse
- Identity-based attacks
These are increasingly important risks that modern organizations must manage as part of their overall cybersecurity strategy.
Strengthen your organization’s identity lifecycle and access security with BMSP.


