title: Mover Templates - Transfer Automation category: Lifecycle Management tags: mover, transfer, department-change, automation, templates priority: Normal
Mover Templates - Transfer Automation
Mover templates automate the provisioning adjustments required when an employee changes role, department, manager, or location. Without automation, Mover events are the primary source of privilege creep -- employees accumulate permissions from their previous role while gaining new ones, creating an ever-expanding access footprint that violates least-privilege principles.
Why Mover Automation Matters
Consider an employee who transfers from Engineering to Sales:
| Without Automation | With Mover Template |
|---|---|
| Retains Engineering group memberships | Engineering groups removed automatically |
| Manually added to Sales groups (if IT remembers) | Sales groups assigned based on department mapping |
| Old manager still listed in AD | Manager updated to new reporting line |
| Account remains in Engineering OU | Account moved to Sales OU |
| No access review triggered | New manager receives access certification request |
| Audit finds excessive permissions months later | Clean access state from day one |
Mover templates eliminate the gap between organizational change and identity adjustment.
Detecting Attribute Changes
Mover templates rely on attribute change detection to determine when a transition has occurred. IdentityCenter monitors the following attributes for changes during synchronization or HR import:
| Attribute | Change Indicates |
|---|---|
| Department | Department transfer |
| Title | Role change or promotion |
| Manager | Reporting line change |
| Office | Location transfer |
| Division | Business unit change |
| EmployeeType | Status change (e.g., contractor to full-time) |
| Company | Legal entity change |
When a sync cycle or HR import detects that one or more of these attributes has changed for an existing identity, IdentityCenter evaluates all Mover templates to find a match.
Creating a Mover Template
Navigate to Administration > Lifecycle Management (/admin/lifecycle) and select New Template. Choose Mover as the template type.
Step 1: Template Details
| Field | Description | Example |
|---|---|---|
| Name | Descriptive template name | "Department Transfer - Standard" |
| Description | What this template handles | "Adjusts groups and OU when department changes" |
| Priority | Execution order when multiple templates match | Normal |
| Enabled | Whether the template is active | Yes |
Step 2: Trigger Configuration
| Trigger Type | Configuration | Best For |
|---|---|---|
| Manual | Administrator selects identity and template | Ad-hoc transfers |
| HR Feed | Fires when HR import detects attribute changes | Automated from HRIS |
| Schedule | Periodic evaluation of attribute changes | Batch processing |
Step 3: Change Detection Criteria
Define which attribute changes activate this template:
| Setting | Description | Example |
|---|---|---|
| Monitored Attributes | Which attributes to watch for changes | Department, Title, Manager |
| Previous Value Filter | Optional: only match if previous value equals | Department was "Engineering" |
| New Value Filter | Optional: only match if new value equals | Department is now "Sales" |
| Change Scope | Whether any change or specific transitions trigger | Any department change |
Tip: You can create generic Mover templates that fire on any department change, or targeted templates that handle specific transitions (e.g., "Engineering to Management" promotion path).
Step 4: Define Actions
RemoveGroups
Remove groups associated with the identity's previous role or department:
| Parameter | Description | Example |
|---|---|---|
| Removal Scope | Which groups to remove | Department-mapped groups only |
| Exclusion List | Groups that should never be removed | "All Employees", "VPN Access" |
| Remove All | Remove from all groups except exclusions | No (use mapped removal) |
Department-mapped removal uses the same group mapping tables as Joiner templates. When the department changes from "Engineering" to "Sales", all groups mapped to "Engineering" are removed.
AssignGroups
Add groups associated with the identity's new role or department:
| Parameter | Description | Example |
|---|---|---|
| Static Groups | Groups added regardless of attributes | None (role-specific only) |
| Dynamic Groups | Groups assigned based on new attribute values | New department group set |
MoveOU
Relocate the identity to the appropriate Organizational Unit:
| Parameter | Description | Example |
|---|---|---|
| Target OU Pattern | OU path using attribute placeholders | OU={Department},OU=Users,DC=corp,DC=local |
| Create if Missing | Create the target OU if it does not exist | No |
UpdateAttribute
Modify directory attributes to reflect the new role:
| Parameter | Description | Example |
|---|---|---|
| Attributes | Key-value pairs to update | manager={NewManagerDN} |
| Source | Where new values come from | HR record, template parameter |
SendEmail
Notify relevant parties of the transition:
| Parameter | Description | Example |
|---|---|---|
| Email Template | Notification template | "Employee Transfer Notice" |
| Recipients | Who to notify | Old manager, new manager, HR, employee |
TriggerAccessReview
Request the new manager to certify the transferred employee's access:
| Parameter | Description | Example |
|---|---|---|
| Review Scope | What to review | All current group memberships |
| Reviewer | Who performs the review | New manager |
| Deadline | Days to complete review | 14 days |
| Auto-Revoke | Revoke uncertified access after deadline | Yes |
Transition Strategies
Immediate Cutover
All changes apply at once. The identity's old groups are removed and new groups are assigned in a single execution.
| Advantage | Disadvantage |
|---|---|
| Clean, immediate transition | May disrupt access during transition |
| Simple to configure | No overlap period for knowledge transfer |
| Clear audit trail | Requires all new access to be pre-defined |
Best for: Standardized role transitions where access requirements are well-defined.
Gradual Transition
New groups are assigned immediately, but old groups are retained for a configurable grace period before automatic removal.
| Advantage | Disadvantage |
|---|---|
| Smooth handoff period | Temporary privilege expansion |
| Time for knowledge transfer | Requires grace period monitoring |
| Reduces support tickets | More complex configuration |
Configuration:
| Setting | Description | Example |
|---|---|---|
| Grace Period | Days before old groups are removed | 14 days |
| Notification | Warn user before removal | 3 days before |
| Auto-Remove | Automatically remove after grace period | Yes |
Best for: Senior roles, project handoffs, or transitions requiring overlap.
Example: Department Transfer Template
Template: Department Transfer - Standard
Trigger: HR Feed (department attribute change)
Criteria: Any department change for EmployeeType = "Full-Time"
Actions:
1. RemoveGroups
- Scope: Previous department mapped groups
- Exclude: "All Employees", "Building Access", "Company WiFi"
2. AssignGroups
- Dynamic: New department mapped groups
3. MoveOU
- Target: OU={NewDepartment},OU=Users,DC=corp,DC=local
4. UpdateAttribute
- manager: {NewManagerDN}
5. TriggerAccessReview
- Reviewer: New manager
- Scope: All group memberships
- Deadline: 14 days
6. SendEmail
- Template: "Transfer Notification"
- To: Employee, Old Manager, New Manager
Handling Complex Scenarios
Promotion Within Same Department
When only the title changes but the department stays the same, create a separate template that:
- Adds elevated access groups (e.g., "Engineering Managers")
- Retains existing department groups
- Triggers an access review for the promotion
Cross-Division Transfer
For transfers between business divisions, consider:
- Different AD forests or domains may be involved
- VPN and network access may change based on location
- Compliance requirements may differ between divisions
Contractor to Employee Conversion
When EmployeeType changes from "Contractor" to "Full-Time":
- Remove contractor-specific groups and restrictions
- Assign full employee group set
- Move from contractor OU to employee OU
- Update account expiration (remove the end date)
Best Practices
- Always remove old groups -- never assume someone will "clean up later"
- Use exclusion lists to protect universal groups from accidental removal
- Trigger access reviews after every Mover event to validate the new access state
- Monitor for rapid successive changes -- multiple transfers in a short period may indicate data quality issues
- Document group-to-department mappings so they can be reviewed and updated as the organization evolves
- Test with preview mode before enabling automated triggers
Next Steps
- Joiner Templates -- Onboarding automation
- Leaver Templates -- Offboarding automation
- Lifecycle Events -- Monitor Mover event execution
- Policies Overview -- Define access policies referenced by templates
- Access Reviews Overview -- Configure post-transfer access reviews