Joiner-Mover-Leaver Awareness

What Is Joiner-Mover-Leaver Awareness?

Every time someone joins your company, changes roles, or leaves, their access permissions need to change with them. When that process breaks down, the consequences are serious: former employees retain access to sensitive systems, transferred staff accumulate permissions they no longer need, and new hires wait days for the tools they require while finding workarounds that bypass security controls. This simulation places you in three distinct scenarios. First, you onboard a new hire and must determine the correct access level for their role without granting more than necessary. Second, you manage a lateral move where an employee shifts from finance to marketing and should lose access to financial systems they no longer use. Third, you process a departure where an employee's last day is tomorrow and you need to coordinate credential revocation, device return, and shared account handover. Each scenario includes realistic complications: a manager requesting exceptions, a departing employee who forwarded files to a personal email, and a new hire who needs emergency access to a client system on day one.

What You'll Learn in Joiner-Mover-Leaver Awareness

• Provision new employee access based on role-appropriate entitlements without defaulting to "same as the last person in this role"
• Remove stale permissions when employees change roles, applying the principle that access transfers are not additive
• Execute offboarding access revocation across all systems, including shared accounts, cloud services, and physical access within the required timeframe
• Identify common workarounds and exceptions that create access drift, such as shared credentials and manager-granted ad hoc permissions
• Coordinate across HR, IT, and department managers to ensure no gaps between role change approval and actual access modification

Joiner-Mover-Leaver Awareness — Training Steps

1. A New Role at Crestfield

   Each role transition meant changes to your system access - but have those changes always been handled correctly?

2. The JML Training Notification

   As part of her role transition, Alice receives an email about required Joiner-Mover-Leaver (JML) awareness training. This training is mandatory for all employees who have recently changed roles.

3. Logging Into the IAM Portal

   The Identity and Access Management (IAM) Portal opens. This centralized system manages all employee access throughout their lifecycle at Crestfield. Alice uses her password manager to log in securely.

4. Understanding JML

   The training portal displays an overview of the Joiner-Mover-Leaver lifecycle. Let's examine each stage of the employee access journey.

5. The Risks of Poor JML

   The portal highlights real-world consequences of improper access management. Each risk represents a common security gap that attackers actively exploit.

6. A Real Breach Example

   The training shares a case study from the insurance industry: Case: Orphaned Account Breach An insurance company failed to revoke access for a claims adjuster who resigned. Three months later, attackers purchased the former employee's credentials from a dark web marketplace (from an unrelated data breach where the employee reused their work password). Using the still-active account, attackers accessed 50,000 customer records over several weeks before detection. Root cause: No automated JML process - HR notified IT via email, which was missed.

7. Your JML Responsibilities

   The portal displays your responsibilities as an employee during JML events: As a Mover (Role Transition): Notify your manager of any access you no longer need Complete access certification reviews promptly Report if you still have access to old systems after transitioning Never use old access 'just in case' - request temporary access properly Helping Colleagues: If a departing colleague asks to 'use your login,' decline and report it If you notice a former employee still has access, report it to IT Never share credentials during knowledge transfer

8. Manager Responsibilities

   The training explains what managers must do during JML events: For Joiners: Submit access requests before start date Specify only the access needed for the role Review and approve provisioned access For Movers: Review current access and request removal of unneeded permissions Submit new access requests for new role requirements Complete the transition within 5 business days For Leavers: Notify HR and IT immediately upon resignation/termination Ensure knowledge transfer happens without credential sharing Verify access revocation is complete before last day

9. Your Access Status

   As part of your role transition, the portal shows your current access status: Access Being Removed (Previous Roles): Claims Processing System (Read/Write) - Revoked Claims Approval Queue (Approver) - Revoked Underwriting Portal (Full Access) - Flagged for removal Policy Rating Engine (Analyst) - Flagged for removal Access Being Granted (New Role): Enterprise Risk Dashboard (Analyst) - Pending approval Risk Assessment System (Senior Analyst) - Pending approval Regulatory Reporting Portal (Viewer) - Pending approval

10. Flagged Access Requiring Action

    The portal highlights access that requires your confirmation: Underwriting Portal (Full Access) You had full access from your Underwriting role. Your manager has flagged this for removal, but the system detected you accessed it last week. Question: Do you still need this access for your new role? Alice considers: Her new role in Enterprise Risk doesn't require direct underwriting access. She can request temporary read-only access if needed for specific projects.