← All terms
Joiner-Mover-Leaver (JML) Process

What is the Joiner-Mover-Leaver (JML) Process?

JML is the process of granting, adjusting, and revoking access as employees join, change roles, and leave — the core of identity lifecycle management.

Last updated: 13 July 2026

The three stages of JML

The joiner stage covers everything a new hire needs on day one: an account in the directory, email, group memberships, and access to the applications their role requires. The trigger is typically a record created in the HR system, which flows into the identity platform and drives automated provisioning.

The mover stage handles role changes. When someone transfers from finance to sales, they need new access — but just as importantly, their old access must be removed. Movers are the hardest stage to get right, because adding access is visible and urgent while removing it is neither.

The leaver stage revokes everything: disabling accounts, terminating sessions, revoking tokens and certificates, and transferring ownership of resources such as mailboxes and files. Speed matters here; leaver deprovisioning should happen within hours, not weeks.

Why JML matters

A slow joiner process costs productivity — new hires waiting days for access. A weak mover process causes privilege creep, where long-tenured employees accumulate access from every role they have ever held. A broken leaver process is a direct security exposure: active accounts belonging to people who no longer work for the organization are a well-documented entry point for both attackers and disgruntled former employees.

Auditors focus on JML heavily. SOC 2 and ISO 27001 assessments routinely sample recent leavers and check how quickly their access was removed, and sample joiners to verify access was approved before it was granted.

Good JML also underpins everything else in identity governance: access reviews and SoD checks are only meaningful when the underlying account data reflects reality.

Automating JML in practice

Automation starts by making HR the authoritative source of truth. When hire, transfer, and termination events flow automatically from the HR system into the identity platform, provisioning and deprovisioning follow without tickets or manual steps for the standard cases.

Role- or attribute-based access models make the automation predictable: a person's department, title, and location determine a baseline set of birthright access, with anything beyond it going through a request-and-approval workflow. For movers, a common pattern grants new access immediately while old access expires after a short, defined grace period.

Monosign supports this with lifecycle workflows that automate joiner, mover, and leaver events across connected applications.

Frequently asked questions

How quickly should a leaver's access be removed?
For standard departures, access should be disabled on the last working day, ideally within hours of the termination event. For high-risk departures, access is typically cut at the moment of notification, including active sessions and tokens, not just the primary account.
What is privilege creep and how does JML prevent it?
Privilege creep is the gradual accumulation of access as people change roles without their old permissions being removed. A disciplined mover process prevents it by recalculating access on every role change: new entitlements are granted and entitlements tied to the previous role are revoked.