How to Manage the Joiners, Movers, and Leavers (JML) Process

Effective identity lifecycle management is crucial for maintaining organizational security and operational efficiency. A key component of this management is the Joiner-Mover-Leaver (JML) process, which oversees user access throughout their tenure.​

According to CrowdStrike’s 2025 Global Threat Report, 80% of cyberattacks use identity-based attack methods. This highlights the importance of implementing a strong JML process to ensure access rights are accurately assigned and updated, minimizing security risks and supporting compliance with regulatory standards. 

Incorporating a well-structured JML framework within your organization's identity lifecycle management strategy is essential for safeguarding sensitive information and maintaining a secure operational environment.

What are Joiners, Movers, and Leavers?

The joiner, mover, leaver process outlines the steps to manage a user’s access during their lifecycle. It includes setting up access for new team members, updating permissions for role changes, and removing access when someone departs. This approach supports identity governance and employee lifecycle management while simplifying control and reducing risks.

What is the Joiner, Mover, Leaver (JML) Process?

The JML process is a structured method used to manage user access throughout an employee’s time at an organization. This method clearly outlines the steps needed when a team member joins, experiences role adjustments, or exits the company, thereby supporting identity governance and employee lifecycle management. The process covers key steps in managing access rights:

• Provisioning secure credentials for new users
• Modifying access as roles change
• Revoking credentials when an employee departs

This approach helps IT and security leaders keep track of access privileges efficiently while reducing risks and simplifying control. It offers a straightforward solution to maintain security, improve productivity, and lower costs across all applications.

Joiners (Onboarding)

Onboarding starts with clear steps to grant secure credentials and assign role-specific access rights. It outlines how identity and access management tools set up each new user while ensuring control. 

This section covers the process, the criteria for access, and the role of IAM, providing practical insights for IT and security professionals in managing the initial phase effectively.

Steps in the Onboarding Process

The onboarding process initiates with provisioning secure credentials and assigning role-specific access to new users. This step involves verifying job functions, setting up system accounts, and ensuring each team member receives proper security settings:

This systematic approach streamlines new user integration and allows IT and security professionals to maintain order and reduce management risks throughout the employee lifecycle.

Assigning Appropriate Access Rights

Assigning proper access rights for new team members means setting precise permissions that solve common security challenges while minimizing potential risks: ensuring each new user receives credentials that match their job requirements. Here is the access rights assignment process:

Maintaining a structured process aids IT and security leaders by ensuring that access rights are managed clearly and efficiently. This approach not only lowers risk but also simplifies the control process in a unified system, keeping operations smooth and secure.

Role of IAM in Onboarding

IAM plays a key part in ensuring that every new team member starts with the correct access. It automates the setup of secure user credentials and assigns permissions that fit the job role, which helps IT and security professionals manage access with confidence.

Using dedicated IAM tools, organizations can automate the account setup process and verify that each access right aligns with company policies:

• Establish secure user credentials
• Assign permissions based on role requirements
• Validate the access setup against internal standards

Movers (Role Changes)

Managing moves is another critical part of the JML process. Internal transfers can be some of the most difficult to track, and often IT leaders don’t have the visibility necessary to manage this access correctly.

Some key factors to consider when managing movers include:

• Managing Internal Transfers and Promotions
• Adjusting Access Rights During Role Changes
• Ensuring Continuous Compliance

Managing Internal Transfers and Promotions

In managing internal transfers, IT teams update user access to reflect revised job functions and responsibilities. They adjust permissions methodically to ensure that updated roles match current duties, keeping the system secure while streamlining access management.

When an employee moves up, the process quickly shifts access rights to match their increased responsibilities. This method supports identity governance by verifying that each access modification aligns with company standards and reducing the risk of unauthorized use.

Adjusting Access Rights During Role Changes

When an employee's role changes, IT teams quickly adjust access rights to match new responsibilities and ensure security. This streamlined update process trims risk and simplifies identity governance by aligning system permissions with current job requirements.

Practical adjustments include revising system accounts and modifying secure credentials before the user starts new tasks. These steps reduce support burdens while keeping the overall employee lifecycle management process efficient and clear for IT and security leaders.

Ensuring Continuous Compliance

Ensuring continuous compliance means verifying that every role change aligns with internal control standards. IT and security leaders conduct regular reviews and use automated checks to validate that access rights match updated job functions.

The platform supports secure management across all applications, streamlining access adjustments during employee transitions. These ongoing audits reduce risks and simplify overall identity governance for IT and security teams.

Leavers (Offboarding)

As part of the Joiners, Movers, and Leavers (JML) process, properly managing leavers is critical to maintaining security, compliance, and operational efficiency. When employees, contractors, or third-party users leave an organization, failing to promptly revoke their access can lead to security vulnerabilities, compliance risks, and unauthorized data exposure.

Key components of managing the leavers portion of the JML process include:

• Timely Revocation of Access
• Data Retention and Compliance
• Preventing Unauthorized Access Post-Departure.

Timely Revocation of Access Rights

IT and security leaders promptly must remove all user credentials when an employee departs, ensuring that every account is deactivated without delay. This proactive step helps maintain strict control of access rights while reducing security risks and supporting efficient identity governance.

Organizations implement automated checks to confirm that offboarding procedures complete on time, keeping access streamlined and secure. These measures assist leaders in managing the employee lifecycle smoothly, preventing unauthorized access and enhancing overall operational safety.

Data Retention and Compliance Considerations

Data retention and compliance requirements drive the offboarding process in a well-defined manner. IT and security professionals follow clear procedures to archive user records and support identity governance while meeting regulatory guidelines:

Organizational policies set clear retention periods and define criteria for record maintenance to prevent identity sprawl while reducing risks. Regular audits help confirm that all removed credentials are properly archived, reinforcing a secure and accountable employee lifecycle process.

Preventing Unauthorized Access Post-Departure

After an employee departs, IT teams act swiftly to revoke all access credentials and secure the system from unauthorized use. They follow a clear set of steps to stop any lingering access:

• Confirm removal of user credentials
• Audit system accounts
• Implement automated access checks

Organizations regularly verify that offboarding procedures are correctly executed, preventing any residual vulnerabilities. They use automated methods that validate the revocation process and ensure that all access is promptly halted.

Challenges in the JML Process

Implementing a joiners, movers, and leavers process is essential for maintaining security, compliance, and operational efficiency, but it is not without challenges. Without proper planning, automation, and governance, organizations risk inconsistent access controls, security gaps, and administrative inefficiencies. A poorly executed JML process can lead to over-provisioned accounts, orphaned credentials, and compliance violations, increasing exposure to security threats.

To ensure a smooth and secure JML process, organizations must address the following challenges:

• Handling High Employee Turnover
• Maintaining Accurate Access Records
• Integrating JML with Existing Systems

Handling High Employee Turnover

High employee turnover poses a challenge to keeping access rights precise and up to date. IT and security teams must quickly adjust access permissions to suit evolving team compositions, ensuring a secure environment that meets identity governance standards.

Frequent employee changes require a clear process for updating access details, reducing the workload on security teams by automating key steps within the JML process. This approach streamlines operational flow and maintains strict control over access management in employee lifecycle management.

{{shadowbox}}

Maintaining Accurate Access Records

Maintaining accurate access records helps IT and security professionals reduce errors and simplify audits during the user lifecycle. Clear records support identity governance and employee lifecycle management while building trust in daily operations.

Accurate user records prevent gaps in access controls and ease the workload for teams. Many organizations adopt automated steps to verify data and track changes in the system:

Integrating JML with Existing Systems

Integrating the JML process with current systems requires careful synchronization between existing IT frameworks and the identity governance platform. IT and security professionals often work to align automated tools with current workflows, ensuring that data flows seamlessly between systems for effective employee lifecycle management.

Organizations benefit from a structured approach that simplifies the merging of legacy systems with new processes. IT and security teams see integration as a practical solution that supports clear access controls and reduces identity fatigue while maintaining robust operational security.

Best Practices for Effective JML Management

A well-executed JML process is critical to improving security, maintaining compliance, and optimizing user access management. Without clear strategies, organizations risk over-provisioned accounts, unauthorized access, and operational inefficiencies. By following proven best practices, IT and security teams can streamline identity governance, reduce security risks, and improve user lifecycle management.

Automating JML Processes

Automating JML processes streamlines the management of user access throughout an employee’s lifecycle. IT and security professionals set up systems that provision secure credentials, update permissions for role changes, and revoke access when needed, resulting in a clear and efficient operational flow.

Automation helps reduce manual errors and speeds up the access management process, allowing teams to focus on critical security tasks while lowering risks associated with human oversight. A structured automation strategy involves the following core tasks:

• Automatic account creation with secure credentials
• Role-based updates to user permissions
• Timely deactivation of access upon employee departure
• Ongoing verification through automated audits

Regular Audits and Access Reviews

Regular audits and access reviews serve as key tools for IT and security teams to maintain updated user access rights in an efficient manner. They help identify outdated permissions, reduce risk, and keep identity governance streamlined:

Consistent access reviews allow teams to swiftly address any inconsistencies, ensuring that every user has proper rights aligned with their current responsibilities. IT and security professionals use automated checks to reduce manual workload, improving overall operational security and efficiency.

Collaboration Between HR and IT Departments

HR and IT departments work together to create smooth transition points throughout the JML process. Their collaborative efforts ensure that every new user is set up promptly, role changes are updated without issues, and access is revoked efficiently when needed.

HR teams are responsible for tracking employee lifecycle events—such as new hires, promotions, transfers, and terminations—while IT ensures that user access is provisioned, updated, or revoked in a timely manner. By aligning workflows, automating processes, and maintaining continuous communication, HR and IT can work together to enforce strict identity governance policies while improving overall efficiency.

Key aspects of HR-IT collaboration in the JML process include:

• Seamless Onboarding of New Employees – Ensuring that new hires have access to the right tools and systems from day one.
• Efficient Role Changes for Movers – Keeping permissions up to date as employees transition into new roles or departments.
• Timely Access Revocation for Leavers – Promptly disabling accounts to prevent unauthorized access and reduce security risks.

A cohesive JML strategy built on HR-IT collaboration helps organizations reduce errors, improve compliance, and maintain a secure identity management framework, ensuring that employees have only the access they need—when they need it.

The Role of Technology in JML

Technology plays a critical role in managing the joiners, movers, and leavers process, ensuring that user access is accurately assigned, updated, and revoked throughout the employee lifecycle. Without the right tools, organizations risk manual errors, security gaps, and compliance failures that can expose sensitive data to unauthorized users.

IAM solutions and automated provisioning and deprovisioning can help organizations streamline JML workflows, improve efficiency, and enforce least-privilege access. These technologies reduce administrative burdens on IT teams, ensure timely access updates, and minimize the risk of orphaned accounts or over-provisioning.

IAM Solutions Supporting JML

IAM solutions support the management of the joiners, movers, and leavers process by automating account setup, modifications, and removal in a clear and practical manner. This approach helps IT professionals adjust user permissions quickly and maintain secure access controls throughout employee transitions.

These systems provide real-time monitoring of credential updates, offering IT and security leaders valuable insights into access control changes. The efficient technology minimizes manual tasks and reduces risks, ensuring a secure environment for managing identity governance effectively.

Automated Provisioning and Deprovisioning

The automated provisioning process uses advanced tools to manage secure account creation for new team members and update their access quickly. This technology helps IT and security leaders maintain order and reduce errors while meeting precise organizational guidelines.

The automated deprovisioning feature moves promptly to remove access when users exit, ensuring that no credentials remain active unnecessarily. This system supports a smooth transition in employee lifecycle events, keeping overall management clear and secure.

Compliance and Regulatory Considerations

Compliance is a critical aspect of identity lifecycle management, ensuring that organizations follow strict security and data protection regulations when managing user access. Without proper controls, businesses risk data breaches, regulatory fines, and reputational damage due to unauthorized access, poor access tracking, or failure to deprovision users properly.

Regulatory frameworks like GDPR, HIPAA, and SOX mandate strict access management practices, requiring organizations to document, monitor, and audit user permissions throughout the employee lifecycle. Proper compliance practices reduce security risks, prevent insider threats, and demonstrate accountability to auditors and stakeholders.

Meeting GDPR, HIPAA, and Other Regulations

IT and security professionals work with precise procedures to meet GDPR, HIPAA, and other regulations, ensuring every stage of the access management process aligns with legal requirements and internal standards. They use automated tools and clear documentation to maintain accurate records and consistent monitoring:

• Automated credential tracking
• Scheduled compliance audits
• Comprehensive access logs

These teams adjust access settings in real-time as policies update, reducing vulnerabilities and keeping user rights current. Their practical methods help streamline operations and support secure identity governance throughout every phase of the employee lifecycle.

Documentation and Reporting Requirements

Clear documentation and timely reporting form the backbone of managing user access throughout the employee lifecycle. IT and security professionals depend on well-organized records to track account setup, role adjustments, and access removal, ensuring the process meets regulatory standards and internal policies:

• Account creation log entries
• Role update documentation
• Offboarding audit trails

Detailed reports simplify compliance verification and support routine audits, allowing teams to quickly address discrepancies. This approach strengthens control over sensitive systems while keeping the overall management straightforward and reliable.

Improve Your JML Process with Lumos

Effectively managing the JML process ensures that user access is provisioned, updated, and revoked in a timely manner, reducing security risks and maintaining compliance. A structured JML framework improves identity governance, reduces human error, and streamlines operations. However, many organizations struggle with manual access adjustments, fragmented IAM systems, and compliance challenges, leading to security gaps and operational inefficiencies.

Lumos automates identity lifecycle management, transforming how IT and security teams handle the JML process. With automated provisioning and deprovisioning, least-privilege enforcement, and real-time access visibility, Lumos enables organizations to manage user identities seamlessly and securely.

Lumos delivers:

• Automated JML Workflows – Ensuring accurate access provisioning, role changes, and timely deprovisioning.
• Deep Access Visibility – Providing real-time monitoring and auditing to meet compliance requirements like GDPR, HIPAA, and SOX.
• Least-Privilege Enforcement – Granting users only the access they need, when they need it, reducing standing privileges and security risks.
• Seamless Integration with IAM & HR Systems – Automating JML updates based on role changes, terminations, and department shifts.

With identity-related risks on the rise, organizations need a modern, automated solution that simplifies identity lifecycle management without sacrificing security. Lumos eliminates manual processes, ensures compliance, and improves security posture—all while keeping operations efficient.

Ready to take control of your JML process? Book a demo with Lumos today and discover how automated identity governance can transform your access management strategy.

Frequently Asked Questions

What does the term JML stand for?

The term JML stands for "Joiner, Mover, Leaver." It defines processes for managing employee lifecycle events, including onboarding, role updates, and offboarding, which are key for maintaining secure and efficient identity management in IT systems.

How are joiners onboarded effectively?

Joiners are onboarded swiftly through a first autonomous identity platform that assigns app permissions automatically while eliminating access sprawl and identity fatigue, ensuring robust security, increased productivity, and controlled cost during employee lifecycle management.

How are movers managed during role changes?

During role adjustments, movers receive updates through an autonomous identity platform that removes outdated access and assigns appropriate privileges, ensuring robust app management with increased security, reduced cost, and minimized identity fatigue.

How is offboarding handled for leavers?

The system automatically handles offboarding procedures, revoking all application access as part of a unified identity governance process while reducing sprawl and identity fatigue, ensuring security and sustained productivity for leavers.

What Regulatory Factors Affect JML Management?

Regulatory factors such as data privacy laws, audit requirements, and industry-specific guidelines impact JML management. They shape policies for identity governance and employee lifecycle management, ensuring compliance while reducing operational risks.