6.4 Provisioning, Deprovisioning, JML, and Access Reviews

Lifecycle Governance as a Control

The joiner, mover, and leaver lifecycle is one of the most important IAM control patterns. A joiner is a new worker or identity that needs initial access. A mover changes role, department, location, project, or risk status. A leaver exits the organization or no longer has a business relationship. Each event should trigger access changes that are timely, complete, and documented.

Provisioning should start from an authoritative source. For employees, that source is often HR. For contractors, it may be a vendor management or sponsor system. For workloads, it may be a deployment pipeline or cloud inventory. The identity source should create a unique identity, assign ownership, set start and end dates, and provide attributes needed for access policy. Manual account creation outside the lifecycle process creates blind spots.

Birthright access is baseline access granted automatically for a role or population. Examples include email, collaboration tools, time reporting, and required training systems. Birthright access should be limited and reviewed because broad baselines can quietly create excessive privilege. A new employee should not receive access to sensitive applications just because others in the department historically had it.

Additional access should follow a request and approval path. The request should identify the business purpose, data or system involved, role or entitlement needed, duration, and approver. Approval should come from someone who understands the business risk, such as a data owner, application owner, or process owner. Manager approval alone may be insufficient if the manager cannot evaluate the entitlement.

Mover events are often more dangerous than joiner events because old access remains while new access is added. A user moving from accounts payable to vendor management may retain payment approval while gaining vendor creation. That creates a separation-of-duties conflict. A good mover process removes access no longer needed, adds new access only after approval, and checks for toxic combinations before completion.

Leaver processing must be fast and coordinated. The organization should disable accounts, revoke sessions, collect badges, remove VPN and cloud access, recover devices, rotate shared secrets if exposed, and transfer ownership of data or workflows. High-risk terminations may require immediate action before the person is notified. Routine departures still require closure because attackers often find and use orphaned accounts.

Automated provisioning tools can reduce delay and inconsistency, but automation must encode policy accurately. If the role catalog is wrong, automation will grant wrong access faster. If application connectors cannot remove access, the process needs manual compensating tasks with tracking. If deprovisioning only disables the directory account but leaves local SaaS users active, the control is incomplete.

Access reviews are periodic checks that validate whether entitlements remain appropriate. Reviews may be manager based, application owner based, data owner based, role based, or privileged access focused. The strongest reviews provide context: who the user is, why access was granted, what the entitlement allows, when it was last used, and whether it conflicts with other access. Rubber-stamp approvals provide weak evidence.

Review frequency should match risk. Privileged access, sensitive data, regulated systems, and high-risk third parties may need more frequent review than low-risk collaboration tools. Reviews should also occur after incidents, reorganizations, mergers, migrations, and major application changes. Event-driven review is often more valuable than waiting for a quarterly schedule.

Metrics help leadership see whether lifecycle governance is working. Useful measures include time to provision, time to deprovision, percentage of access with an owner, stale account count, orphan account count, review completion, revocation success, privileged access age, and number of separation-of-duties conflicts. Metrics should lead to remediation, not just dashboards.

Access Review Decision Guide

• Keep access only when there is a current business need and the entitlement matches the user's role.
• Modify access when the need remains but the permission level is too broad.
• Remove access when the user changed role, the entitlement is unused, the project ended, or ownership is unclear.
• Escalate access when it creates a duty conflict, grants privileged rights, or lacks a business owner.
• Track every removal to completion, including systems that require manual action.

The CISSP perspective is that provisioning is not a service desk convenience function. It is a preventive, detective, and corrective control. The organization should know who requested access, who approved it, why it exists, when it expires, how it was used, and how quickly it can be removed. That evidence supports least privilege and gives management a defensible view of access risk.