Mastering IAM Workflow: From Onboarding to Offboarding

Written by Greg Keller on June 15, 2016

Share This Article

The modern office is more decentralized than ever before, with IT resources spanning from on-premises to the cloud and back. We don’t just manage machines, we manage virtual machines. We don’t just manage employees, we manage remote workers.

Then there’s the SaaS apps, operating systems (hello, OS X!), and the WiFi networks.

At the core of it all is your company’s identities. Identities are what allow you to keep track of your users, to manage them, and provision or deprovision access to the ever-growing list of IT resources.  

This may sound like a gigantic headache (and it can be), but I often say that a great company is built on great systems. This is where your IAM workflow comes in and saves the day.

What is an Identity Access & Management (IAM) Workflow?

A workflow is the sequence of all the processes that a project goes through from initiation to completion. So, your Identity and Access Management (IAM) workflow is the sequence of processes that your company has established to manage identities across the organization.

An IAM workflow begins with onboarding a user and includes the provisioning of access to all resources, the management of the identity during the entirety of their stay in the directory, and – ultimately – the termination of the identity and the deprovisioning of access to all resources.

Along the way, things will inevitably get complicated. Access control is a dynamic activity within an organization and can be a significant cost center. Building a workflow that makes sense for your organization will help crystalize what type of identity management infrastructure you need to build.

So how do you make a great IAM workflow?

It can be more art than science. Every company is different. But there are some best practices and guidelines that can greatly improve your IAM workflow.

The identity management workflow can be broken into four key areas:


The initial creation of the user. This can occur manually within the identity management system or it could be triggered from an HR system.

The on-boarding process includes provisioning the user within the core systems of the company primarily the email system. As the user is added to the proper groups, access rules are created and account access provisioned.

The overall automation of provisioning of accounts is easier for IT, but dramatically increases the costs of solutions. The more provisioning automation, the more complex the system, and the more expensive the solution. IT organizations need to weigh the cost / benefit equation of automating the onboarding process. There are different levels of automation and each of those levels can provide significant benefits to the IT organization.

Note:  Check out the 7 Things IT Must Address when Onboarding New Employees

User Modifications

After the initial setup of access, there are ongoing changes. Those changes can center in on a user’s rights. These rights may need to be expanded or contracted. The user’s information may need to be modified.

These on-going changes can happen all of the time and can pose a serious threat to IT admin productivity. End users calling with password reset requests can distract an IT team from more important tasks. It can also frustrate end users.

An identity management strategy must think through the on-going user changes and the most efficient way to do that in an organization based on its size and scope.

Note:  Some IAM solutions allow tasks such as resetting passwords, adding SSH keys, or adding multi-factor authentication to be done by the end user without the IT admins support or help.

IT Resource Modifications

The other area of on-going changes is the addition and removal of various IT resources. These resources can include devices, applications, and networks.

Any organization is constantly changing its infrastructure even if its headcount is staying flat. Machines break, users need new or different applications, and modifications are made to access rights over time. The more automation that can be leveraged to integrate these changes into the identity management system, the better.

Some, of course, will not be able to be automated, but others may. For example, as an organization’s Infrastructure-as-a-Service servers are scaled, connecting those back to the central identity core can be automated. As new devices are rolled out, the image that is installed on those devices can be pre-populated to connect to the identity infrastructure. This is a huge win for your IAM workflow (see how it’s done).

In other cases, such as adding a new application, automation may not be possible. But open APIs may streamline the process. For instance, new applications that can support the LDAP protocol could be connected back to the organization’s user store without the need to manually create accounts.

Masterful use of automation is the single most effective way you can simplify and streamline your IAM workflow. But many IT admins don’t know what is possible to automate and what isn’t.

Note: See our article on why you should automate manual user management.


The end of the identity lifecycle is the offboarding of a user. Credentials are terminated and the user’s account access is terminated everywhere.

The challenge, of course, is knowing what everywhere really is. Sometimes IT does not have a complete view of where a user’s credentials are migrated to (this can be thanks to a little phenomenon called ‘Shadow IT’).

Further, IT may not have the complete ability to off-load users automatically. Similar to onboarding, the ability to automatically offboard can become expensive as you expand the footprint of what you would like to automate. At minimum, IT needs to maintain lists of IT resources that need to be touched upon the departure of a worker.

Note: You can find our in-depth guide to offboarding here.

Master Your Identity & Access Management (IAM) Workflow

The overall lifecycle won’t change too much from organization to organization, but how that workflow is implemented can vary widely. That implementation is dependent upon the details of that workflow and how and who will be integrated into it. As you build your workflow for how you would like to organize and run your identity management process, use that as a guide for what solutions would be most helpful to you in automating and securing that process.

So how do you do it? Start by answering these questions:

Designing the Workflow.

What does it look like from start to finish (map it out)? Who is involved in what aspects? What are you able to automate and what will have to be manual? Do you need to integrate with other solutions, such as an HR system?

Onboarding / Offboarding.

How will you ensure that your users are onboarded properly and have access to everything that they need? Just as importantly, how will you terminate access everywhere upon a departure.

End-user self-service.

What are you comfortable having end users do themselves? Reset their passwords? Upload new keys? What do you want to still retain control over?

APIs for integration.

Do you need to automate some portions of your access control process? If so, you’ll need to have an open platform with APIs that you can work with.

Now it’s Time to Design Your IAM Workflow

If you’re still feeling like learning more, we have a ton of resources at JumpCloud on this subject. First and foremost is our 2016 IT Guide to Onboarding and Offboarding Employees. We break the process down into four steps, point out the security risks you’ll need to be aware of along the way, and we dive deeper into how to put automation into place and reap the benefits.

We try to remain objective, but in many ways we’re “our own biggest fans” when it comes to IAM workflow. JumpCloud’s one-of-a-kind Directory-as-a-Service® (DaaS) is the single best way to achieve centralized control over a wide variety of users and IT resources (ahem, in our personal opinion, that is). If you want to know more about how DaaS can help improve your IAM workflow with end user password resets and automation based on events, then please take two moments to reach out and contact us here.

Greg Keller

JumpCloud CTO, Greg Keller is a career product visionary and executive management leader. With over two decades of product management, product marketing, and operations experience ranging from startups to global organizations, Greg excels in successful go-to-market execution.

Continue Learning with our Newsletter