Skip to main content

Joiner, Mover, and Leaver Processes

EmpowerID automates identity lifecycle management through Joiner, Mover, and Leaver (JML) processes. These processes provide individuals with appropriate access when joining the organization, maintain correct access as their roles change, and properly revoke access when they depart. JML automation integrates with authoritative systems such as HR platforms to detect lifecycle events and trigger corresponding identity management actions.

How JML Automation Works

JML events are typically detected through changes in authoritative systems. When employee records change in HR or other connected systems, EmpowerID's inventory connectors detect these changes and initiate corresponding workflows. The automation handles account provisioning when new employees join, access adjustments when employees change roles or locations, and account deactivation and cleanup when employees leave.

This integration eliminates manual identity management tasks while maintaining consistent policy enforcement across on-premises and cloud applications.

Joiner Process

The Joiner process establishes identities for new individuals entering the organization, transforming raw account data from authoritative systems into managed identities with appropriate access.

Account Inventory and Evaluation

When EmpowerID inventories accounts from connected systems, it performs more than simple data replication. The Account Inbox Processor evaluates each inventoried account to determine its ownership status and decides on one of three actions:

Ignore the Account — System accounts, service accounts, or accounts not representing users

Join to Existing Person — Account matches an existing Person identity based on configured join rules

Provision New Person — No matching Person exists; create new Person identity and join the account

Join and Provision Logic

The Account Inbox Processor applies configured join rules to match inventoried accounts with existing Person identities. Join rules evaluate attributes such as employee ID, email address, birth date, and name combinations. When no match is found and provision rules permit, EmpowerID creates a new Person identity.

For detailed configuration information, see Configure Account Inbox Settings for Joiners.

Attribute Synchronization

After accounts join Person identities, attribute values from authoritative systems flow into Person records. This synchronization maintains data accuracy and reflects current information from HR systems in Person identities.

Role and Location Assignment

Based on account attributes such as job title, department, and location code, EmpowerID creates external organizational roles and locations. The Business Role and Location Compiler evaluates these external assignments and proposes corresponding internal EmpowerID business roles and locations. The Business Role and Location Processor executes these assignments, establishing organizational context and triggering access provisioning through role-based access control policies.

Joiner Process Flow

The complete joiner onboarding process follows a structured sequence from initial inventory through final role assignment:

Mover Process

The Mover process manages identity changes when individuals transition to different roles, departments, or locations within the organization. These transitions require access reevaluation to provision new access requirements and remove access no longer needed.

Triggering Mover Events

Mover events can be initiated manually through workflows that change a person's primary Business Role and Location. More commonly, Mover events are triggered automatically when HR system changes flow into EmpowerID through inventory connectors. Changes to job title, job code, department ID, or location code indicate role transitions that require access adjustments.

Business Role and Location Recompilation

When external role or location assignments change, the Business Role and Location Compiler Job evaluates the mappings between external and internal organizational structures. The compiler determines which internal Business Role and Location changes should occur based on configured mappings. Changes are queued for processing by the Business Role and Location Processor Job.

Access Reevaluation

When Business Role and Location assignments change, EmpowerID reevaluates Resource Entitlement Topology (RET) policies and other access policies associated with the Person. This reevaluation provisions missing access required for the new role and removes access no longer appropriate, maintaining least-privilege access throughout role transitions.

Leaver Process

The Leaver process manages identity lifecycle termination when individuals separate from the organization. This process is security-critical, as timely access removal prevents unauthorized access by former employees.

Planned Leavers

Planned Leaver events are typically triggered by ValidUntil dates on Person objects, which flow from termination dates in HR systems. The Submit Person Terminations Permanent Workflow continuously evaluates Person objects to identify those meeting termination criteria. The planned leaver workflow supports multiple stages:

Pre-Leaver Stage

Identifies individuals approaching termination dates, enabling proactive offboarding tasks such as manager notifications, equipment collection, and knowledge transfer initiation.

Termination Stage

Disables accounts, revokes access, and marks Person identities for deletion when termination dates are reached. Configurable grace periods allow for business process completion before final termination.

Reactivation

Handles scenarios where terminations are reversed or individuals return to the organization, restoring Person identities and reactivating accounts as needed.

For detailed configuration information, see Configure Leaver and Rehire Settings.

Unplanned Leavers

Unplanned Leaver events are initiated manually through Terminate Person workflows when immediate termination is required. These workflows mark Person objects as deleted and trigger immediate reevaluation of RET policies, leading to account disabling or deletion.

Rehire Process

The Rehire process manages individuals who were previously terminated and are now returning to the organization. This process restores previous Person identities when appropriate, reactivates disabled accounts, and assigns roles and locations for the new position.

For detailed configuration information, see Configure Leaver and Rehire Settings.

Integration with Account Inbox Settings

JML automation relies on Account Inbox Settings to define the rules and criteria governing each process. These settings provide administrators with granular control over JML automation while maintaining consistent policy enforcement.

Joiner Settings

Joiner settings define join rules that match inventoried accounts to existing Person identities and provision rules that determine when new Person identities are automatically created. Account filters provide logic determining which accounts are evaluated for Person linkage versus ignored as system or service accounts. These settings control how new identities enter EmpowerID and establish the foundation for subsequent lifecycle management.

Leaver Settings

Leaver settings define query-based collections that dynamically identify individuals at different termination stages—Pre-Leaver, Planned Leaver, and Reactivation. These collections evaluate Person attributes against configured criteria to determine which individuals require processing.

Notification templates control email communications sent to individuals, managers, and administrators at each stage. Threshold values establish timing parameters, such as how many days before termination the Pre-Leaver process initiates or when the actual termination processing begins.

Account Inbox Settings determine whether to use default workflow behavior or create Flow events for custom automation. When Flow integration is enabled, the Submit Person Terminations Permanent Workflow creates Flow events instead of executing standard termination logic, and the Flow engine processes these events according to configured Flow policies.

Rehire Settings

Rehire settings define the query-based collection that identifies individuals eligible for rehire and the workflow initiator that controls approval routing for rehire requests. Organizations can configure whether to use custom Flow automation or default rehire workflows, enabling flexibility in how returning employees are processed based on organizational policies and integration requirements.