title: Lifecycle Management Overview category: Lifecycle Management tags: lifecycle, jml, joiner, mover, leaver, automation priority: Normal
Lifecycle Management Overview
Lifecycle Management in IdentityCenter automates the entire employee identity journey -- from the moment a new hire is onboarded to the day they leave the organization. By codifying Joiner, Mover, and Leaver (JML) processes into reusable templates, you eliminate manual provisioning errors, reduce security risk, and maintain continuous compliance.
What is JML Lifecycle Management?
JML is a framework that divides the identity lifecycle into three distinct phases:
| Phase | Description | Example |
|---|---|---|
| Joiner | A new identity enters the organization | New hire, contractor, vendor |
| Mover | An existing identity changes role, department, or location | Promotion, transfer, team restructure |
| Leaver | An identity exits the organization | Resignation, termination, contract end |
Each phase requires specific provisioning and deprovisioning actions. Without automation, IT teams must manually create accounts, adjust permissions, and revoke access -- a process prone to delays and oversights that can leave orphaned accounts and excessive privileges in your environment.
Why Lifecycle Management Matters
Compliance Requirements
Regulatory frameworks such as SOX, HIPAA, GDPR, and ISO 27001 require organizations to demonstrate timely access provisioning and deprovisioning. Lifecycle automation provides:
- Auditable records of every provisioning action taken
- Consistent enforcement of access policies across all identities
- Timely deprovisioning that eliminates the risk of lingering access after departure
- Documented workflows that satisfy auditor requests for process evidence
Operational Efficiency
Manual JML processes in a 1,000-user organization can consume hundreds of IT hours per year. IdentityCenter reduces this to minutes by executing predefined action sequences automatically.
Security Posture
The most common source of privilege creep is the Mover phase -- employees accumulate permissions as they transfer between departments without losing prior access. IdentityCenter's Mover templates explicitly address this by removing old entitlements alongside granting new ones.
The LifecycleCenter Page
Navigate to Administration > Lifecycle Management (/admin/lifecycle) to access the LifecycleCenter dashboard. From this page you can:
- Create and manage Joiner, Mover, and Leaver templates
- View pending and completed lifecycle events
- Monitor automation execution status
- Access lifecycle analytics and reports
Template Types
IdentityCenter organizes lifecycle automation into three template categories:
Joiner Templates
Define the actions taken when a new identity is provisioned. Typical actions include creating an Active Directory account, assigning default group memberships based on department or role, and sending a welcome email.
Mover Templates
Define the actions taken when an existing identity changes role or department. These templates detect attribute changes and adjust group memberships, OU placement, manager assignments, and permissions accordingly.
Leaver Templates
Define the actions taken when an identity is deprovisioned. These templates handle account disabling, group removal, mailbox forwarding, data backup, and account archival.
Trigger Types
Each lifecycle template is activated by one of three trigger mechanisms:
| Trigger | Description | Use Case |
|---|---|---|
| Manual | Administrator initiates the template from the UI | Ad-hoc onboarding, immediate termination |
| HR Feed | Automatically triggered when HR Import detects a qualifying change | New hire record, termination date reached |
| Schedule | Runs on a recurring schedule to evaluate criteria | Nightly check for pending departures |
HR Feed triggers are the most powerful option for organizations with integrated HR systems. When a new employee record appears in the HR import, IdentityCenter automatically matches it to a Joiner template and begins provisioning without manual intervention.
Available Actions
Lifecycle templates are composed of ordered action steps. Each action performs a specific provisioning or deprovisioning operation:
| Action | Description | Phases |
|---|---|---|
| CreateAccount | Provisions a new Active Directory account | Joiner |
| AssignGroups | Adds the identity to specified security or distribution groups | Joiner, Mover |
| RemoveGroups | Removes the identity from specified groups | Mover, Leaver |
| DisableAccount | Disables the AD account while preserving the object | Leaver |
| SendEmail | Sends a notification email using a configured template | Joiner, Mover, Leaver |
| UpdateAttribute | Modifies one or more directory attributes on the identity | Mover |
| MoveOU | Moves the identity object to a different Organizational Unit | Mover, Leaver |
| RevokeAccess | Removes all application and resource access entitlements | Leaver |
| BackupData | Archives mailbox data, home directory, or profile information | Leaver |
| ForwardEmail | Configures email forwarding to a manager or delegate | Leaver |
Actions execute in the order they are defined in the template. If any action fails, subsequent actions can be configured to continue or halt depending on the template's error handling policy.
Lifecycle Flow
HR System / Manual Trigger / Schedule
│
v
┌─────────────────────┐
│ Lifecycle Engine │
│ ┌───────────────┐ │
│ │ Template Match │ │
│ └───────────────┘ │
│ ┌───────────────┐ │
│ │ Action Queue │ │
│ └───────────────┘ │
│ ┌───────────────┐ │
│ │ Execution Log │ │
│ └───────────────┘ │
└─────────────────────┘
│
v
┌─────────────────────┐
│ Target Directory │
│ (AD / Entra ID) │
└─────────────────────┘
Integration with Policies and Access Reviews
Lifecycle templates work alongside IdentityCenter's policy engine and access review campaigns:
- Policies can define baseline access rules that Joiner templates reference, ensuring new accounts always receive the organization's minimum required permissions
- Access Reviews can be triggered automatically during Mover events, prompting the new manager to certify the transferred employee's access
- Compliance Reports aggregate lifecycle event data to demonstrate JML process adherence during audits
Best Practices
- Start with Leaver templates -- offboarding automation delivers the highest immediate security value
- Use HR Feed triggers whenever possible to eliminate manual intervention
- Test templates in preview mode before deploying to production
- Define error handling for each action step to prevent partial provisioning
- Review lifecycle events weekly to catch failed actions early
- Align templates with your organization's access policies to ensure consistency
Next Steps
- Joiner Templates -- Automate new employee onboarding
- Mover Templates -- Handle role and department changes
- Leaver Templates -- Streamline offboarding
- Lifecycle Events -- Monitor and audit lifecycle activity
- HR Integration Overview -- Connect your authoritative HR source
- Policies Overview -- Define access policies that templates enforce