# Access Governance Pillars ### 🔄 **Joiner–Mover–Leaver (JML) Framework** JML is the operational lifecycle of identity and access. It standardizes how organizations grant, change, and remove access as people move through their employment lifecycle. | Phase | What it means conceptually | | ---------- | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Joiner** | When a new identity enters your environment. Access should be granted automatically and consistently based on role, department, and security policy. | | **Mover** | When an existing identity changes role, department, or scope of work. Access should adapt - adding what’s needed, revoking what’s no longer appropriate. | | **Leaver** | When an identity leaves the organization or no longer requires access. Access should be revoked quickly and fully, closing accounts and reducing risk. | 💡 *Why it matters:* JML reduces onboarding friction, prevents permission creep, and helps organizations meet compliance requirements. *** ### 🏷️ **Role-Based Access Control (RBAC)** RBAC is a method of regulating access based on the roles of individual users within an organization. * **Roles group permissions** into logical sets aligned to job functions (e.g., Sales Rep, Finance Analyst, Support Engineer). * **Users are assigned to roles**, not directly to individual permissions. * **Applications and systems map their entitlements** to those roles. Benefits: * Scales access assignment across hundreds or thousands of users. * Simplifies audits - “this person has this access because they are in this role.” * Reduces manual approval bottlenecks. 💡 *Why it matters:* RBAC lets you express business logic in a technical model, making access predictable and auditable. *** ### 🔒 **Least Privilege** Least Privilege is the principle of granting **the minimum access necessary** for a user (or system) to perform its function. * Access is limited to only what is strictly required - nothing more. * Permissions should be regularly reviewed and adjusted as duties change. * Elevated privileges should be time-bound or just-in-time. Benefits: * Reduces the attack surface of your organization. * Minimizes impact of compromised accounts. * Helps demonstrate strong controls to auditors. 💡 *Why it matters:* Even with perfect RBAC and JML, if roles themselves are too permissive, you still have excess risk. Least Privilege forces continual tightening. *** ### 🧩 **How These Pillars Work Together** * **JML** defines *when* access should change. * **RBAC** defines *what* access should be assigned. * **Least Privilege** defines *how much* access is appropriate. Together they create a system where access is provisioned automatically at onboarding, adapts to role changes, and is revoked at offboarding - always with the minimum necessary rights. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.getcakewalk.io/concepts/access-governance-pillars.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.