This is the typical question: how does the IAM system handles joiner, mover and leaver scenarios.

Because that's the way people live: they join, move and leave. Be born, live and die.

Well, the good thing is that the model supports these scenario's.

The minor catch is that nothing works without configuring.....

Joiner

Typically, joiners are introduced in the organisation's HR system, weather this is SAP or another system depends on the organisation.

Typically, right after that, the identities are created in AD and receive their password.

Now, either you introduce a live sync with the source target system of the HR department, via flat files or direct connector and AD creation is done by the IAM tool.

Either a live sync is configured with AD. This scenario has less impact on the existing processes in an organisation.

These are two common scenarios for joiner scenarios.

A third one is the manual creation of the identity by the organisation administrator.

Mover

The model supports easy transition from one organisation or department to another.

With a start and end date defined on the organisation assignment, a flawless transition can be achieved.

Since provisioning rules take into account these temporal constraints, users will be automatically provisioned with their new organisation(s).

Leaver

For leavers, the same logic as for movers is applicable.

Once the temporal validity of the organisation is expired, provisioning rules will deprovision the identity in underlying systems.