JML, joiners, movers and leavers. How to make it work well in your business


If I had a £1 for every time someone used the dreaded acronym JML during my career then I wouldn’t need to work anymore. Its usually followed by “… is rubbish” or preceded by “We need a better process for….”. The reality is, understanding who is joining your business, who is moving roles or departments or who is sadly leaving your business is a challenge. Here’s my thoughts on how to make this process slick(er)

So lets start this off by making it clear – this is a huge challenge because it requires people outside of the typical ‘IT team’. It’s going to need business buy-in, from managers, to HR, to payroll – everyone needs to agree on a process, and everyone needs to follow it.

The most bizarre comments I’ve heard over the years are almost comical, from “It’s not ITs fault – this is a business issue”, to “It’s all ITs fault, this is nothing to do with the wider business”. Reality is, it needs everyone.

So what do I mean by joiners, movers and leavers? Some of our American friends will refer to this as onboarding and offboarding, but its essentially the processes that describe people joining your business, people leaving your business, and people changing roles within your business. You need to have a process for all of them. Why you may ask….? If you’re not bored yet – I’ll explain anyway 😀


Its 2021, and social media exists, just as well as word of mouth, and if your new employee has problem such as their user account not being created, their laptop hasn’t been delivered, or they have to open up a call with IT to install an app that they need to do their job, your process has failed. The employee of today, rightly or wrongly, is more than happy to tell ex-colleagues, friends, etc about their poor experience, much like they had a bad retail experience.

From a business perspective, from day #1, you’re paying that employee to work. The longer they can’t do their job, the more money is going down the drain. It’s as simple as that.

Auditors. Yes, everyone’s favourite. But that process is something that auditors want to see. How do you know that Julie, who is supposed to be working in Payroll is real – and that she is authorised to access that application?


Movers aren’t those folk who help you move house, these are internal role changes. So if Frank in Marketing has taken on a role in IT – you need to know about it. Payroll need to know, HR need to know, and so do IT.

Also, Frank wants you all to know. So, just like the new employee, he gets the required access and tools to do his job.

His old manager should want a slick process too – he no longer wants Frank to access his team’s files, nor does he want Frank using expensive Marketing applications licences.


This is the big one. This is the one that everyone should be interested in. The employee, or should I say ex-employee doesn’t want access to your system anymore. Their old manager certainly doesn’t want them to have access either. Security would have kittens if they did still had access to any application with business-sensitive data. Last but not least, the auditors. This process is their favourite one to interrogate – because this is the one that poses the biggest risk to any business. This is the one that can hand the business fines, and make it front page news.

So doom and gloom over. Everyone gets that this is important, Sam. Its not exciting, but its important. So how do you start putting nice processes together?

2 simple things: Data Mastering & communication.

I could mic-drop and leave it there, but let me explain.

Lets start with the ease one: Communication

This is often the biggest failing in a large business. The people closest to the event, whether that be onboarding, moving or offboarding, are often the ones that don’t communicate it, or don’t know who to communicate this to.

This is the responsibility of the HR / People Team. They own that process, and they know who to tell, or which system to make changes on. What they can’t do though is ensure that everyone follows that process.

Now, onto the second bit: Data Mastering

So its over to us techie folk to make a process work. We don’t know who has joined, who has moved or who has left the business, and honestly we shouldn’t care. What we should do though is understand the best way of automating the process.

First up, listen to the single version of the truth: HR & Payroll. So if someone works at your business, they want to get paid – so who are they going to make sure has the correct details: Payroll. So those guys need to own the master of the data. Not in Active Directory, not in Google Directory, but in your HR/Payroll system. For argument sakes, lets assume this is Workday given its the Gartner Leader in this field.

On its own Workday is a great app I’m sure. But not letting it talk to other critical systems is criminal.

Your identity service holds everyone’s IT user accounts. It is what determines whether you can log on to a computer, onto a SaaS app, maybe even determine whether your pass lets you into the building. For many on-premise enterprises, this is Microsoft Active Directory. For those in the cloud world, this could be Azure AD, Okta, OneLogin, etc. This could in turn give access to file shares or apps based on security groups, etc.

Typical workflow using Data Mastering, a cloud-identity provider and SaaS and on-prem apps

As you can see from the above diagram, using this 3 tier approach gives huge advantages for your JML process. Once the first stage is complete of having the link between your HR system and your Identity provider, you are able to then apply automation and logic to your processes. Lets give some examples:

Scenario #1

Marketing take on a new member of staff and they are added as an employee to the Workday HR system.

Through that system we are able to apply a profile to that user to complete certain fields that we replicate down to our Identity provider, such as department, role, start date, etc.

Those in turn add users to groups in the IdP which provide single sign on to specific apps, but more importantly via SCIM, provision those apps for them. So effectively, without any involvement with IT, that new member of staff in Marketing has an account set up in Office 365, and in the on-prem AD, set them up an account in Salesforce with the correct roles and installed apps on their machines using their UEM tool, such as Workspace One.

Scenario #2

Tom from IT leaves the business at short notice, so HR are informed. HR mark him as a leaver in the HR system, Workday in this case, and this in turn suspends his account in the IDP which goes out to all SCIM enabled SaaS apps and disables their account to prevent any unauthorised apps, or loss of company data.

Scenario #3

Ikram moves roles within the business, changing job title and location. HR update his details within the HR system, and these fields are replicated to the IDP. As there are rules applying to his job title and location this determines which apps, and access Ikram has – so there are no issues when he starts his new role and his old team know that only the right people have access to their data.

Hopefully those examples show why committing to data mastering, SSO and user provisioning technologies has benefits aside from just usability for your user estate. It ensures a robust process for securing data, securing access and even plays a key role in software asset management.

Leave a Reply