Why it matters
Joiner, mover, and leaver controls connect authoritative sources to identity creation, role changes, temporary access, contractor handling, deprovisioning, recertification, and exceptions. Disabling a primary account may not revoke active sessions, API tokens, certificates, secondary identities, or application-local access.
Lifecycle workflow
- Define authoritative source, approval, role or attribute mapping, owner, and timing objective.
- For movers, compare former and new duties, segregation-of-duties constraints, temporary access, and application-specific entitlements.
- For leavers, revoke accounts, sessions where supported, tokens, certificates, group membership, device access, and third-party access according to policy.
- Use manager and application-owner reviews to certify access, retain evidence, and track exceptions.
Review checklist
- Is each entitlement tied to a current owner, role, or approved exception?
- Are dormant, orphaned, rehire, leave-of-absence, and contractor cases covered?
- Does a failed deprovisioning event have escalation and validation evidence?
- Do exception records include scope, owner, expiry, compensating control, and review date?
Common mistakes
Do not equate a manager attestation with technical revocation, or assume group removal immediately ends all sessions. Access reviews support least privilege but do not guarantee it without complete scope and follow-through.
Fictional example
An employee moves from finance to support. The HR event updates the main group, but a local reporting entitlement remains. The access review catches the mismatch, records the application owner's decision, and confirms removal with application evidence.
Operational decision points
Start by identifying authoritative identity sources, birthright access, approvals, movers, contractors, leavers, secondary identities, access certification, exceptions, and revocation verification. Keep those elements separate in the change record: a successful technical step can still leave an inappropriate authorization, unavailable dependency, or incomplete audit trail. Scope decisions to a named owner, system, time window, and evidence source.
Practical workflow
process the authoritative event, evaluate role and attribute changes, provision or reduce access, validate downstream systems, retain evidence, and escalate missed deprovisioning. At each stage, decide whether the observed result is sufficient to continue, needs an owner question, or requires a bounded rollback or escalation. Avoid turning an unavailable log or delayed response into proof that no activity occurred.
Evidence and review checklist
- record source event, identity, manager and application owner, prior and new role, decision, entitlements affected, token or certificate follow-up, completion time, exception, and validation result.
- Confirm the accountable owner, expected dependency, approved exception, and next review date.
- Test an ordinary permitted path and a relevant denial or expiry condition using approved accounts and non-sensitive data.
- Separate service availability symptoms from identity, policy, session, and logging outcomes.
Fictional operational example
A staff member transfers teams and the directory group changes, but an application-local account retains a finance entitlement. The access review identifies the mismatch, gets an application-owner decision, and confirms the local authorization is removed.
Validation boundaries and failure modes
A leaver workflow must consider active sessions, application-local accounts, API tokens, certificates, SSH keys, cached credentials, cloud roles, device access, and third-party access. Review decisions can approve, remove, reduce, investigate, or time-bound an exception; each needs owner, rationale, evidence, and a review date.
Before closing a review, confirm the result with the system owner and retain a reference to the relevant configuration, event, approval, or test. Missing evidence should create a follow-up question, not an unsupported conclusion about safety, authorization, or exposure.
Focused review checklist
A periodic review should compare the authoritative source, manager, application owner, group membership, application entitlements, secondary accounts, temporary access, exceptions, and evidence retention. Failed deprovisioning needs a named escalation, owner confirmation, and follow-up validation rather than a closed ticket based only on a directory change.
Related Vuln Signal content
See Privileged Access, AAA, IAM Access Review practice, and Incident Handoffs.