Go to WebsiteLoginGet a Demo

Joiner Mover Leaver (JML)

Automate user lifecycle management in Cakewalk. Learn how Joiner–Mover–Leaver (JML) workflows handle onboarding, role changes and offboarding to keep access aligned and least-privilege enforced.

👥 Who It Applies To

Role
Capabilities

Admins

Configure and monitor JML workflows across the organization.

Managers

Trigger onboarding and offboarding for their own reports.

📖 Key Concepts

  • Joiner: A new employee or contractor starting at your company. Onboarding ensures they receive the right apps and permissions from day one.

  • Mover: An existing employee changing role, team, or department. Movers trigger adjustments to apps and permission levels in line with their new responsibilities.

  • Leaver: An employee or contractor exiting the company. Offboarding removes their access, ensuring no orphaned or stale accounts remain.

💡 Why this matters: JML workflows automate lifecycle management, enforce least privilege, reduce IT workload and close security gaps during role changes.

🛠 JML Workflows

Joiner (Onboarding)

  • Definition: Bringing a new user into the organization with the right baseline apps and permissions.

  • Navigation: User Overview → +New (manual) or auto-sync from HRIS/IdP. How it works:

  • How it works:

    • Synced users (HRIS/IdP): Cakewalk creates a Review onboarding task, which must be confirmed before onboarding starts.

    • Manual onboarding: Onboarding begins immediately once the Admin or Manager creates the user.

    • After confirmation (for synced) or creation (for manual), apps and permissions are assigned based on group membership and selected apps.

  • Outcome: User becomes Active in Cakewalk with all required apps and access.

  • Why this matters: Automated joiners are validated before activation, while manual joiners allow immediate onboarding when speed is required.

Mover (Role/Team Change)

  • Definition: Updating access automatically when users change roles, teams, or departments.

  • Navigation: User Overview → Edit User or triggered via HRIS/IdP sync.

  • How it works:

    • Group membership is updated (via sync or manually).

    • Grant Access requests for default apps in the new group are created automatically and routed to the appropriate assignees according to your policies.

    • If provisioning is automated (via IdP or Agent Cake), accounts are provisioned automatically.

    • Remove Access requests for apps no longer needed are also auto-created.

  • Outcome: Access footprint aligns with the user’s current responsibilities.

  • Why this matters: Prevents over-permissioning and ensures least privilege as roles evolve.

Leaver (Offboarding)

  • Definition: Revoking access and cleaning up accounts when a user leaves the company.

  • Navigation: User Overview → contextual menu → Offboard user (manual) or auto-sync from HRIS/IdP.

  • How it works:

    • Synced users (HRIS/IdP): Cakewalk creates a Review offboarding task, which must be confirmed before removals begin.

    • Manual offboarding: Admins or Managers set the user to offboarding manually, which immediately generates removal requests.

    • Once confirmed (for synced) or triggered (for manual), Cakewalk generates removal requests for all apps the user has access to.

    • Before initiating the offboarding process for Managers or App Owners, a successor needs to be designated for each direct report and owned app.

    • When all tasks are complete, user status changes to Deactivated.

  • Outcome: All access is removed consistently and the history is logged for audits.

  • Why this matters: Ensures all access is removed on time, closing gaps that could leave orphaned accounts or active sessions exploitable after someone leaves.

Setting Up Assignees for On/Offboarding Tasks

  • Navigation: Settings → Data sources → Users → Manage integration roles.

  • How it works:

    • Define which tasks should be created for each event (Joiner, Mover, Leaver).

    • Assign default assignees for each task (e.g., Admin(s), Manager).

    • Save configuration.

    • When onboarding/offboarding is triggered: Tasks (e.g., Review onboarding/offboarding) are created and routed for confirmation.

  • Why this matters: Ensures steps are consistently handled by the right assignee according to your company guidelines.

Monitoring & Reporting

  • Status Transitions: JML workflows are reflected in the user’s status (Discovered → Active → Offboarding → Deactivated).

  • Audit Logs: Every JML action is recorded, ensuring traceability.

  • Reviews: Dormant accounts or missed removals are flagged in access reviews.

  • On/offboarding overview: Review all pending and upcoming offboarding to review progress and follow up with assignees of outstanding tasks for timely completion.

  • Why this matters: Auditable JML flows support ISO 27001, SOC 2 and other compliance frameworks.

📋 JML Actions at a Glance

Action
Who performs it
What happens
Why it matters

Onboard (Joiner)

Admins, Managers

User added manually (immediate) or via HRIS/IdP sync (review task first) → default apps provisioned

Fast, compliant onboarding with governance checkpoints

Update access (Mover)

Admins

Group/role changes update access automatically

Enforces least privilege, avoids over-permissioning

Offboard (Leaver)

Admins, Managers

Manual offboarding triggers removals immediately; synced offboarding creates a review task first

Prevents stale/orphaned accounts while keeping governance controls

Configure JML tasks

Admins

Define default assignees for Joiner and Leaver events

Ensures consistency and accountability

Monitor JML status

Admins

User status transitions logged for each event

Provides audit trail for compliance

PreviousGroups & Role-Based Access Control (RBAC)NextApps

Last updated

Was this helpful?