Joiner-mover-leaver automation, end to end

What "JML" means and why it matters

JML — joiner, mover, leaver — is the lifecycle every employee runs through. Each event demands a different set of IT access changes, and getting any of them wrong creates either a productivity drag (access too slow) or a security hole (access too broad, or never removed). JML automation runs all three as tracked workflows instead of tribal knowledge.

Joiner

A new hire is provisioned from a role template: account created, least-privilege groups and apps granted, licenses assigned, device shipped, welcome tasks tracked. Same role in, same access out — reproducibly.

Mover — the event most tools get wrong

When someone changes role or department, the correct action is to grant the new access and revoke what the old role no longer needs. Most "lifecycle" tools only do the first half, so privilege accumulates across a career until an audit flags it. Passage's mover diff engine compares the old role's standing access set against the new one and computes grant / revoke / keep deltas, then materializes critical revoke steps so stale access is actually removed — not just left behind.

Leaver — the SEO and security workhorse

On exit, the run disables accounts, revokes sessions, reclaims licenses, strips groups and apps, handles the mailbox, and enforces device return — then emits audit-ready evidence. This is the page where the value compounds; read the deep dive on offboarding software and the practical IT offboarding checklist.

Every run is provable

Joiner, mover, and leaver runs all write an action log with before/after state and emit a hash-anchored evidence record mapped to SOC 2, HIPAA, NIST 800-171 / CMMC, NIST CSF, and ISO 27001 controls. Access-lifecycle management stops being a thing you swear you did and becomes a thing you can show. See the compliance mapping.