# Joiner Mover Leaver (JML)

### 👥 **Who It Applies To**

| Role         | Capabilities                                                 |
| ------------ | ------------------------------------------------------------ |
| **Admins**   | Configure and monitor JML workflows across the organization. |
| **Managers** | Trigger onboarding and offboarding for their own reports.    |

***

### 📖 **Key Concepts**

* **Joiner**: A new employee or contractor starting at your company. Onboarding ensures they receive the right apps and permissions from day one.
* **Mover**: An existing employee changing role, team, or department. Movers trigger adjustments to apps and permission levels in line with their new responsibilities.
* **Leaver**: An employee or contractor exiting the company. Offboarding removes their access, ensuring no orphaned or stale accounts remain.

💡 **Why this matters**: JML workflows automate lifecycle management, enforce least privilege, reduce IT workload and close security gaps during role changes.

***

### 🛠 JML Workflows

#### Joiner (Onboarding)

* **Definition**: Bringing a new user into the organization with the right baseline apps and permissions.
* **Navigation**: User Overview → +*New* (manual) or auto-sync from HRIS/IdP.
* **How it works:**
  * **Synced users (default)**: Cakewalk creates a *Review onboarding* task, which must be confirmed before onboarding starts.
  * **Synced users (No-Touch Onboarding)**: If you enable No-Touch Onboarding for a synced IdP group, new users in that group are onboarded automatically. No review task is created. All default apps from the user's assigned groups are provisioned immediately.
  * **Manual onboarding**: Onboarding begins immediately once the Admin or Manager creates the user.
  * After confirmation (for synced default), automatic provisioning (for no-touch) or creation (for manual), apps and permissions are assigned based on group membership and selected apps.
* **Outcome**: User becomes *Active* in Cakewalk with all required apps and access.
* **Why this matters**: Synced joiners are validated before activation by default. No-Touch Onboarding removes this step for high-volume teams. Manual joiners allow immediate onboarding when speed is required.

> 💡 No-Touch Onboarding is configured in your HRIS/IdP Users integration settings. See [HRIS & IdP](/connections-and-integrations/hris-and-idp.md) for setup instructions.

***

#### Mover (Role/Team Change)

* **Definition**: Updating access automatically when users change roles, teams, or departments.
* **Navigation**: User Overview → Edit User or triggered via HRIS/IdP sync.
* **How it works**:
  * Group membership is updated (via sync or editing the group in Cakewalk).
  * *Grant Access* requests for default apps in the new group are created automatically and routed to the appropriate assignees according to your policies.
  * If provisioning is automated (via IdP or Agent Cake), accounts are provisioned automatically.
  * *Remove Access* requests for apps no longer needed are also auto-created.
* **Outcome**: Access footprint aligns with the user’s current responsibilities.
* **Why this matters**: Prevents over-permissioning and ensures least privilege as roles evolve.

***

#### Leaver (Offboarding)

* **Definition**: Revoking access and cleaning up accounts when a user leaves the company.
* **Navigation**: User Overview → contextual menu → *Offboard user* (manual) or auto-sync from HRIS/IdP.
* **How it works**:
  * **Synced users (HRIS/IdP)**: Cakewalk creates a *Review offboarding* task, which must be confirmed before removals begin.
  * **On-demand offboarding**: Admins or Managers initiate the user's offboarding directly in Cakewalk, which immediately generates removal requests.
  * Once confirmed (for synced) or triggered (for manual), Cakewalk generates removal requests for all managed apps the user has access to.
  * Before initiating the offboarding process for Managers or App Owners, a successor needs to be designated for each direct report and owned app.
  * When all tasks are complete, user status changes to *Deactivated*.
* **Outcome**: All access is removed consistently and the history is logged for audits.
* **Why this matters**: Ensures all access is removed on time, closing gaps that could leave orphaned accounts or active sessions exploitable after someone leaves.

***

#### Setting Up Assignees for On/Offboarding Tasks

* **Navigation**: Settings → Data sources → Users → *Manage integration roles*.
* **How it works**:
  * Define which tasks should be created for each event (Joiner, Mover, Leaver).
  * Assign default assignees for each task (e.g., Admin(s), Manager).
  * Save configuration.
  * When onboarding/offboarding is triggered: Tasks (e.g., Review onboarding/offboarding) are created and routed for confirmation.
* **Why this matters**: Ensures steps are consistently handled by the right assignee according to your company guidelines.

***

#### Monitoring & Reporting

* **Status Transitions**: JML workflows are reflected in the user’s status (Discovered → Active → Offboarding → Deactivated).
* **Audit Logs**: Every JML action is recorded, ensuring traceability.
* **Reviews**: Dormant accounts or missed removals are flagged in access reviews.
* **On/offboarding overview:** Review all pending and upcoming offboarding to review progress and follow up with assignees of outstanding tasks for timely completion.
* **Why this matters**: Auditable JML flows support ISO 27001, SOC 2 and other compliance frameworks.

***

### 📋 **JML Actions at a Glance**

| Action                | Who performs it  | What happens                                                                                                                                   | Why it matters                                                     |
| --------------------- | ---------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ |
| Onboard (Joiner)      | Admins, Managers | User added on demand (immediate), via HRIS/IdP sync (review task first) or via No-Touch Onboarding (no review task) → default apps provisioned | Fast, compliant onboarding with governance checkpoints             |
| Update access (Mover) | Admins           | Group/role changes update access automatically                                                                                                 | Enforces least privilege, avoids over-permissioning                |
| Offboard (Leaver)     | Admins, Managers | Offboarding triggers removals immediately; synced offboarding creates a review task first                                                      | Prevents stale/orphaned accounts while keeping governance controls |
| Configure JML tasks   | Admins           | Define default assignees for Joiner and Leaver events                                                                                          | Ensures consistency and accountability                             |
| Monitor JML status    | Admins           | User status transitions logged for each event                                                                                                  | Provides audit trail for compliance                                |


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.getcakewalk.io/how-to-guides/users-and-groups/joiner-mover-leaver-jml.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.