About Identity Lifecycle Management
Identity Lifecycle Management (ILM) is a cornerstone of Identity Governance and Administration (IGA), encompassing the complete journey of digital identities from creation through modification to eventual deactivation. For modern enterprises managing thousands of user accounts across hybrid cloud and on-premises environments, effective lifecycle management directly impacts security posture, operational efficiency, and regulatory compliance.
EmpowerID provides comprehensive identity lifecycle management that automates the critical Joiner, Mover, and Leaver (JML) phases while maintaining granular control through policy-based governance. By integrating with Human Capital Management (HCM) systems and applying intelligent automation, EmpowerID provides users with appropriate access at the right time—and promptly revokes that access when no longer needed.
What is Identity Lifecycle Management?
Identity Lifecycle Management represents the complete set of processes and policies that govern digital identities throughout their existence within an organization. At its core, ILM encompasses three fundamental phases that mirror an individual's relationship with an organization.
Identity Creation and Provisioning establishes digital identities when individuals join the organization. This phase creates user accounts, assigns basic permissions, and configures authentication credentials.
Access Modifications adjust permissions and entitlements as roles, responsibilities, or organizational structures change throughout an individual's tenure.
Deprovisioning and Account Cleanup systematically removes access and archives accounts when individuals leave or when identities are no longer needed.
These three phases—commonly referred to as Joiner, Mover, and Leaver processes—form the foundation of identity lifecycle management. Effective ILM maintains only the access necessary for current responsibilities, implementing the principle of least privilege at scale while adapting dynamically to organizational changes.
Identity Lifecycle Management Benefits
Automated identity lifecycle management reduces security risk through consistent enforcement of access policies and timely removal of unnecessary permissions. Manual provisioning tasks that consume IT resources and introduce human error are eliminated.
Organizations gain comprehensive audit trails of all lifecycle events that support regulatory compliance requirements. By connecting authoritative identity sources with downstream systems, EmpowerID maintains synchronized identity data and automatically adjusts access rights to reflect current organizational roles and responsibilities.
Joiner-Mover-Leaver Framework
The Joiner-Mover-Leaver framework structures identity lifecycle processes around three distinct employee lifecycle phases. New employees require rapid onboarding with birthright access provisioning. Role changes demand precise access adjustments based on new responsibilities. Departures require complete access removal with appropriate audit trails.
Joiner Processes
When new employees join the organization, Joiner processes provide them with appropriate access to begin working productively from day one.
Modern onboarding automation begins before an employee's first day through pre-hire account staging. Accounts are created in advance and basic access is provisioned to support day-one productivity. This preparation includes configuring temporary credentials and scheduling welcome communications to guide new employees through their first login experience.
Attribute-based role assignment eliminates manual role selection by automatically determining appropriate Business Role and Location assignments based on HR data such as department, job title, and office location. Once roles are assigned, provisioning policies automatically grant birthright access to standard resources all employees in similar roles require.
This creates accounts in Active Directory, Microsoft 365, email systems, and required business applications without IT intervention. For resources requiring approval, the system routes requests to designated approvers based on configured approval policies.
Mover Processes
Throughout an employee's tenure, role changes, department transfers, promotions, and organizational restructuring require access modifications that maintain security without impeding productivity. Mover processes detect these changes and adjust access accordingly.
Change detection operates through multiple mechanisms working together to maintain timely updates:
Scheduled Reconciliation compares HR systems with the Identity Warehouse at regular intervals.
Change Data Capture Engine provides near real-time detection of attribute modifications for time-sensitive changes.
Manual Change Requests from managers or administrators enable immediate updates when required.
Once changes are detected, role recompilation automatically recalculates Business Role and Location assignments based on the new attributes. Provisioning policies grant additional access required by new roles. Revocation policies remove access no longer justified by current roles unless other active policies or explicit grants maintain that access.
Approval workflows route requests for sensitive resources or access modifications that exceed standard birthright entitlements according to configured approval policies. This provides appropriate oversight while maintaining automated processing for routine changes.
The system tracks all access modifications through comprehensive audit logs that maintain a complete history of why access was granted, modified, or revoked. These logs support both compliance requirements and operational troubleshooting.
Leaver Processes
When employees depart the organization, Leaver processes provide prompt and complete removal of access across all systems.
Termination detection discovers departures through multiple channels:
Scheduled HR Reconciliation identifies terminated employees or contractors whose contracts have expired.
Change Data Capture Engine provides near real-time detection of termination events for immediate response.
Manual Termination Workflows initiated by HR or management enable controlled offboarding when required.
Upon detecting a termination, immediate account disabling locks accounts across all connected systems to prevent further access while preserving data for transition and audit purposes. Access revocation systematically removes group memberships, application entitlements, and resource permissions across the enterprise.
Email forwarding or delegation can be configured to maintain business continuity while the employee's data undergoes review and archival. Scheduled cleanup processes execute after configurable retention periods, permanently deleting accounts and associated data according to organizational policies and regulatory requirements.
The system provides termination workflow orchestration through No Code Flows, allowing organizations to implement custom leaver processes that accommodate different employee types, termination reasons, or regulatory requirements. These workflows coordinate activities across multiple systems and teams, maintaining complete offboarding with appropriate documentation and approval trails.
EmpowerID Lifecycle Architecture
EmpowerID implements identity lifecycle management through an integrated platform architecture where specialized components work together to automate the complete identity journey from onboarding through offboarding.
Authoritative Source Integration
EmpowerID treats Human Capital Management systems and enterprise directories as authoritative sources for identity data. The Inventory Engine continuously discovers accounts and attribute changes from connected systems, running on configurable schedules that range from real-time to daily intervals depending on system capabilities and business requirements.
Discovery processes identify new accounts requiring integration, attribute changes that might trigger lifecycle events, and account deletions that need propagation across the environment.
The Account Inbox receives newly discovered accounts and processes them according to configured join and provision rules. Join rules match accounts to existing Person objects based on employee ID, email address, name combinations, or other identifying attributes. When a discovered account matches an existing Person, the system joins the account to that Person's unified identity profile. When no match is found, provision rules determine whether to automatically create a new Person object or route the account to administrators for manual review.
Change Detection and Event Processing
The Change Data Capture Engine provides scalable, near real-time detection of identity attribute changes that trigger lifecycle events. Operating on the SQL Server Change Data Capture feature against Identity Warehouse tables, the CDC engine monitors for modifications across person attributes, role assignments, account properties, and organizational hierarchies.
When changes are detected, PowerShell scripts analyze change patterns using Kusto Query Language, identifying lifecycle events that span multiple attributes or require time-based analysis. Events meeting configured detection criteria are automatically inserted into the BusinessRequestFlowEventInbox, triggering appropriate workflows without manual intervention.
For detailed information on CDC architecture and configuration, see Change Data Capture Engine and Kusto Query.
Attribute Synchronization
The Attribute Flow engine maintains identity data consistency across connected systems through bidirectional synchronization governed by authority configuration rules. Organizations can configure different synchronization behaviors for different systems and attributes:
| Synchronization Mode | Behavior | Use Case |
|---|---|---|
| Bidirectional Flow | Accepts changes from both EmpowerID and connected systems | Mutual trust between systems requiring two-way synchronization |
| Account Store Priority | Only changes from the connected system update EmpowerID | EmpowerID reflects external data without controlling it |
| EmpowerID Priority | Only EmpowerID changes propagate to connected systems | EmpowerID enforces authoritative data with rollback of external changes |
| Disabled | No synchronization occurs | No integration desired for specific attributes or systems |
Conflict resolution operates based on configured precedence rules, processing changes according to authority hierarchies and propagating authoritative values across integrated systems in real-time.
Automated Role Assignment
EmpowerID automatically assigns and maintains role memberships based on identity attributes from authoritative sources, eliminating manual role management overhead.
The Business Role and Location Recompiler continuously maps external roles and locations from HR systems to EmpowerID's polyarchical RBAC model, which combines Business Roles and Locations to define access patterns. When employee attributes such as department, job title, location, or manager change in the HR system, the recompiler automatically recalculates what Business Role and Location combinations should apply to that individual.
This recompilation process occurs on a scheduled basis, typically running multiple times per day to maintain current role assignments with HR data. The polyarchical approach prevents role explosion by allowing a small number of Business Roles to be combined with Locations, representing thousands of unique access patterns without requiring individual role definitions for each combination.
Provisioning Policies transform these role assignments into concrete access grants without requiring user requests or manual provisioning by administrators. Policies define birthright access based on Business Role and Location combinations, automatically provisioning accounts, groups, and resources when roles are assigned to users.
Policy-driven revocation automatically removes associated access when role assignments are removed, unless other active policies still require it. The system supports both permanent access grants and temporary assignments with automatic expiration, accommodating both standard employment and contractor scenarios.
Workflow Orchestration
No Code Flows enable complex lifecycle workflows without custom development through visual workflow design capabilities accessible to business users and IT administrators.
Flow Definitions specify the sequence of lifecycle operations, from simple approval routing to complex multi-stage provisioning processes. Flow Items represent individual steps such as email notifications, manager approvals, system provisioning actions, or API calls to external services. Flow Policies define the conditions that trigger workflow execution, allowing different workflows to be invoked based on user attributes, resource types, or contextual factors.
No Code Flows support common lifecycle scenarios including new employee onboarding with staged access provisioning, role change processing with approval routing, and termination workflows with staged cleanup. Organizations also implement contractor lifecycle management with automatic expiration-based deprovisioning when contract end dates arrive.
The integration capabilities of No Code Flows allow them to connect to external systems and services, enabling lifecycle processes to span beyond EmpowerID and coordinate activities across the enterprise IT environment.
Key Components of EmpowerID Identity Lifecycle Management
EmpowerID's identity lifecycle management platform comprises several integrated subsystems. Each component plays a specific role in the overall lifecycle automation architecture, working together to deliver comprehensive identity governance from onboarding through offboarding.
Identity Warehouse
The central repository for identity data, the Identity Warehouse integrates information from multiple authoritative sources into a unified view of each identity. It inventories user accounts, groups, and resources from connected systems while joining accounts to Person objects that represent unique individuals. The Warehouse maintains attribute history and synchronization state, providing the data foundation for access decisions and lifecycle automation.
For detailed information, see EmpowerID Identity Warehouse.
Inventory and Account Inbox
The Inventory subsystem continuously discovers new accounts in connected systems and processes them according to configured join and provision rules. Inventory jobs run on scheduled intervals to discover new or changed accounts. Join rules link discovered accounts to existing Person objects based on matching criteria. Provision rules determine when to automatically create new Person objects for unmatched accounts. Bulk processing capabilities enable efficient handling of large account populations during initial connectivity or mass imports.
For detailed information, see Inventory and Account Inbox.
Attribute Flow
Attribute Flow maintains identity data consistency across connected systems through bidirectional synchronization governed by authority configuration rules. The engine processes attribute changes discovered during inventory or made directly in EmpowerID, applies configured flow rules to determine propagation direction, and resolves conflicts based on source authority hierarchies. Real-time propagation maintains authoritative changes across all integrated systems promptly.
For detailed information, see Attribute Flow.
Change Data Capture Engine
The Change Data Capture Engine provides scalable detection of data changes that trigger lifecycle events through integration with SQL Server CDC and Kusto Query Language. This component monitors Identity Warehouse tables for modifications, analyzes change patterns to identify complex lifecycle events that span multiple attributes or time windows, automatically triggers workflows when detection criteria are met, and maintains a complete audit trail of detected changes and triggered events.
For detailed information, see Change Data Capture Engine and Kusto Query.
Business Role and Location
The Business Role and Location subsystem implements EmpowerID's polyarchical RBAC model, which simplifies access management by combining role and location dimensions. External role inventory discovers hierarchies from HR systems and directories. RBAC mapping translates external structures to EmpowerID constructs. The recompiler job automatically recalculates role assignments when HR attributes change. The processor job implements role assignment changes and triggers associated provisioning policies.
For detailed information, see Business Role and Location Assignments.
Provisioning Policies
Provisioning Policies define the birthright access users receive based on their role assignments, transforming abstract role memberships into concrete access grants. Policy conditions specify when policies apply based on Business Role, Location, and other attributes. Resource grants define what specific access is automatically provisioned when conditions are met. Default attributes establish attribute values for newly provisioned accounts. Revocation rules automatically remove access when policy conditions no longer apply.
No Code Flows
No Code Flows provide visual workflow orchestration for complex lifecycle processes that require human interaction or multi-stage processing. Flow definitions establish the sequence of operations required to complete lifecycle processes. Flow items represent individual steps ranging from notifications to provisioning actions or external API calls. Flow policies define the triggering conditions based on lifecycle events, user attributes, or resource characteristics. Integration points enable workflows to connect with external systems and services, allowing lifecycle processes to coordinate activities across the entire enterprise.
Audit Trails and Compliance Support
Identity lifecycle management generates comprehensive audit trails that support regulatory compliance and security investigations.
Lifecycle Event Logging captures a complete history of provisioning and deprovisioning actions with timestamps and initiator information for all identity changes. It tracks both automated policy executions and manual administrative interventions while retaining historical role assignments and access grants according to configured retention policies.
Reporting Capabilities provide pre-built compliance reports for common regulatory requirements, custom query capabilities against Identity Warehouse data for ad-hoc analysis, and access certification support through historical lifecycle event data. Integration with external SIEM and analytics platforms enables centralized security monitoring.
These audit capabilities provide the evidence required for compliance frameworks including SOX, HIPAA, GDPR, and industry-specific regulations while supporting operational troubleshooting and security investigations.