Joiner-mover-leaver wired into IdP
Demonstrate that identity lifecycle events (new hires, role changes, terminations) originating from authoritative HR sources automatically trigger provisioning, modification, and deprovisioning actions across connected systems via the IdP without manual intervention.
Description
What this control does
This control ensures that joiners (new hires), movers (role changes), and leavers (terminations) are automatically provisioned, updated, and deprovisioned in all connected systems through integration with the organization's Identity Provider (IdP). The IdP acts as the authoritative source of truth for identity lifecycle events, triggering automated workflows that adjust access rights across SaaS applications, on-premises systems, and cloud infrastructure based on HR system data. This eliminates manual access requests for common scenarios, reduces provisioning delays, and ensures timely revocation of access when employees leave or change roles.
Control objective
What auditing this proves
Demonstrate that identity lifecycle events (new hires, role changes, terminations) originating from authoritative HR sources automatically trigger provisioning, modification, and deprovisioning actions across connected systems via the IdP without manual intervention.
Associated risks
Risks this control addresses
- Terminated employees retain access to systems and data due to delayed or forgotten manual deprovisioning steps
- New employees wait days or weeks for necessary access, delaying productivity and creating pressure to grant excessive temporary permissions
- Employees changing roles accumulate excessive permissions (privilege creep) because old access is not revoked when new access is granted
- Unauthorized access occurs when provisioning relies on email-based approvals or tickets that can be forged or manipulated
- Inconsistent provisioning creates audit findings and compliance violations due to lack of traceability between HR records and system access
- Manual provisioning errors grant incorrect access levels, violating least privilege and separation of duties requirements
- Insider threats exploit windows of opportunity between role changes and manual access updates to exfiltrate data or abuse privileges
Testing procedure
How an auditor verifies this control
- Obtain and review the architectural documentation showing integration points between HR system, IdP, and downstream target systems including authentication protocols (SCIM, SAML, OIDC) and provisioning mechanisms.
- Export and examine IdP provisioning rules, workflow configurations, and role-mapping logic that translate HR attributes (department, job title, location) into access entitlements.
- Review the authoritative source configuration within the IdP to confirm the HR system is designated as the single source of truth for identity lifecycle events.
- Select a representative sample of 10-15 joiner events from the past quarter and trace each from HR system record creation through IdP provisioning logs to target system access grants, documenting timestamps and automation evidence.
- Select a sample of 10-15 mover events (internal transfers, promotions) and verify that both new access was granted AND prior role-specific access was revoked automatically, checking for permission accumulation.
- Select a sample of 10-15 leaver events and confirm that access was deprovisioned across all connected systems within the defined SLA (typically same business day), examining IdP logs and target system audit trails.
- Identify any systems not integrated with the IdP and assess whether manual provisioning processes exist as compensating controls with documented approval and review procedures.
- Test one simulated lifecycle event in a non-production environment by creating a test user in the HR system and observing end-to-end automated provisioning through to target system access, documenting each automated step and timestamp.
Where this control is tested