Joiner–Mover–Leaver for People, Devices & Workloads — With Evidence
Identity Lifecycle is how you grant, change, and revoke access for humans, devices, and workloads—safely, quickly, and provably.
SolveForce implements JML (Joiner–Mover–Leaver) as a system: HR/CRM as source of truth → SSO/MFA → role/attribute-based entitlements → JIT/PAM for elevation → reviews & recertification—wired to SIEM/SOAR so audits pass cleanly.
Connective tissue:
👤 Identity → /iam • 🔐 Privileged → /pam • 🚪 Per-app access → /ztna • 🧱 Network edge → /nac
🖥️ Device posture → /mdm • /mdr-xdr • 🤖 Secrets/Keys → /secrets-management • /key-management
📊 Evidence/Automation → /siem-soar • 🔏 Data → /dlp • ☁️ Cloud → /cloud
🎯 Outcomes (Why SolveForce Identity Lifecycle)
- Zero-Trust by default — identity + device posture + context at every step (no “trusted network”).
- Least-privilege, fast — role/attribute-based birthrights, JIT elevation (PAM), and per-app ZTNA.
- No orphans — automatic offboarding across SaaS, infra, keys, and tokens.
- Audit-ready — approvals, access reviews, certifications, and change logs export to SIEM.
- Covers all identities — humans (EE/contractors), service/workload identities, and device certs.
🧭 Scope (What We Govern & Automate)
- Human identities — employees, contractors, vendors; HRIS/CRM as SoT; SCIM/Graph provisioning; SSO/MFA. → /iam
- Non-human identities — cloud roles, service accounts, CI/CD robots, API keys; workload identity (OIDC/SPIFFE/SVID).
- Device identities — 802.1X EAP-TLS certs, MDM/UEM enrollment, EDR health. → /mdm • /nac • /mdr-xdr
- Entitlements — RBAC/ABAC, SoD policy, app catalog, license governance.
- Privileged access — JIT roles, session recording, elevation approvals. → /pam
- Revocation — accounts, sessions, keys, tokens, device certs; quarantine & evidence.
- Reviews & recertification — periodic and event-driven (mover/transfer).
🧱 Building Blocks (Spelled Out)
- Source of Truth (SoT)
- HRIS/ERP (employees) + vendor system (contractors) → identity directory.
- Enrich with business unit, cost center, location, risk profile.
- Joiner
- Pre-hire stub identity with pending start; background checks & SoD pre-validation.
- Day-0 birthrights (email, chat, core apps) + device enrollment + per-app ZTNA; group/role via RBAC/ABAC.
- Mover
- Role/BU changes trigger delta entitlements; remove old access automatically.
- Access reviews for managers & app owners; prevent SoD conflicts.
- Leaver
- Immediate disable (IdP + ZTNA) → session revoke → key/secret rotation → SaaS deprovision → device wipe/cert revoke → mailbox/file handoff with legal hold.
- Break-glass runbooks for terminations outside HR batch.
- Privileged lifecycle
- No standing admin: JIT via PAM with approvals & recording; ephemeral cloud roles/STS. → /pam
- Workload & API identity
- Cloud workload identity federation (OIDC), SPIFFE/SVID, short-lived tokens; no long-lived keys in repos. → /secrets-management
- Device identity & posture
- 802.1X EAP-TLS; MDM/UEM compliance; EDR healthy; NAC decisions: allow/step-up/quarantine. → /nac • /mdm • /mdr-xdr
- Policy & catalog
- App catalog with owners, license tiers, risk tags, and SoD matrices; policy-as-code for approvals & exceptions.
- Evidence pipeline
- Approvals, grants, revokes, reviews, PAM sessions → SIEM with WORM options; SOAR executes revoke/rotate/notify. → /siem-soar
🧰 Reference Architectures (Choose Your Fit)
A) Enterprise JML (HR-Driven)
HRIS → IdP (SSO/MFA) → SCIM to SaaS; ZTNA for private apps; NAC/MDM at edge; PAM for elevation; SOAR for revokes & key rotation.
B) Cloud-First with Workload Identity
IdP + Cloud IAM; OIDC federation for CI/CD; SPIFFE/SVID in K8s; secrets broker; Just-in-Time cloud roles; automated key lifecycle.
C) Contractor/Vendor Access
Clientless ZTNA → app subsets; time-boxed accounts; watermarks/recording for admin sessions; mandatory sponsor; auto-expire.
D) Regulated (SOX/PCI/HIPAA/CMMC)
SoD policy packs; quarterly certifications; data labels (PII/PHI/PAN); tokenization; PAM + session recording; immutable evidence.
E) Device-First (Zero-Trust Edge)
802.1X EAP-TLS; NAC posture (MDM/EDR); dynamic VLAN/ACL/SGT; ZTNA per-app; device cert revocation on leaver.
📐 SLO Guardrails (Targets You Can Measure)
| KPI / SLO | Target (Recommended) |
|---|---|
| Joiner time to productive access | ≤ 15–60 min post-HR create |
| Mover access delta apply | ≤ 15 min from HR change |
| Leaver full revoke (human) | ≤ 5–15 min (IdP→SaaS→keys) |
| Leaver full revoke (privileged) | ≤ 1–5 min (sessions killed) |
| Orphaned accounts (monthly) | = 0 (remediation SLA 24 h) |
| Certifications completion (quarterly) | ≥ 95–100% on time |
| SoD violation MTTR | ≤ 24–72 h |
| Evidence completeness (audits/incidents) | = 100% |
SLO breaches open tickets and trigger SOAR (revoke, rotate, quarantine, notify). → /siem-soar
🔒 Compliance Mapping (Examples)
- SOX — access changes/approvals, quarterly recerts, SoD controls, immutable logs.
- PCI DSS — unique IDs, least privilege, quarterly reviews, key/secret rotation, session recording for admin.
- HIPAA — minimum necessary, audit controls, termination procedures, BAAs for identity tools.
- ISO 27001 / SOC 2 — access management, change, logging; evidence packs.
- NIST 800-53/171 / CMMC — AC/IA/AU/CM families; JIT/PAM, logging, and revocation controls.
📊 Observability & Evidence
- IdP & ZTNA: logins, MFA, device posture, policy decisions.
- Provisioning: SCIM events, app grants, license changes, group diffs.
- Privileged: PAM approvals, session recordings, command logs.
- Keys/Secrets: KMS/HSM rotations, Secret Manager reads/writes.
- Certifications: reviewer actions, exceptions, closure.
All streamed to SIEM, with SOAR playbooks (bulk revoke, session kill, rotate keys, disable device). → /siem-soar
🛠️ Implementation Blueprint (No-Surprise Rollout)
1) Source-of-truth & scope — HRIS/CRM systems; identity types (EE, contractor, vendor, service, device).
2) IdP & ZTNA baseline — SSO/MFA; groups/claims; context-aware access; per-app ZTNA. → /iam • /ztna
3) Provisioning — SCIM to SaaS; birthright bundles; app catalog & owners; SoD matrices.
4) PAM & elevation — JIT roles, approvals, recording; break-glass with TTL. → /pam
5) Workload identity — OIDC/SPIFFE; secretless CI/CD; remove static keys from repos. → /secrets-management
6) Device identity & posture — 802.1X certs, MDM/UEM enrollment, EDR health; NAC actions. → /nac • /mdm
7) Leaver automation — IdP disable → ZTNA revoke → SaaS deprovision → key/secret/cert rotation → device wipe/revoke.
8) Reviews & recert — quarterly certifications; mover triggers; SoD monitoring; exception workflow.
9) Evidence & SOAR — export logs/approvals; playbooks for revoke/rotate/quarantine; dashboards for SLOs. → /siem-soar
✅ Pre-Engagement Checklist
- 🧭 HRIS/CRM SoT, identity types, contractors/vendors, expected volumes/transfers.
- 🔐 IdP/SSO/MFA posture; ZTNA/SASE plan; NAC/MDM/EDR status.
- 🗂️ App catalog, owners, license tiers; SCIM readiness; SoD matrices.
- 🧑💻 PAM requirements; break-glass process; session recording policy.
- 🤖 Workload identity approach (OIDC/SPIFFE), secrets/keys posture (KMS/HSM, vault).
- 💾 Offboarding revocation list (SaaS, infra, keys/tokens, device certs).
- 📊 SIEM/SOAR destinations, evidence format, certification cadence.
- 🧾 Compliance scope (SOX/PCI/HIPAA/ISO/NIST/CMMC) & audit calendar.
🔄 Where Identity Lifecycle Fits (Recursive View)
1) Grammar — identities traverse /connectivity & /networks-and-data-centers.
2) Syntax — access delivered via /ztna//sase with /nac and device posture.
3) Semantics — /cybersecurity preserves truth; /siem-soar proves it; keys/secrets via /key-management//secrets-management.
4) Pragmatics — /solveforce-ai flags risky access, predicts mover deltas, and proposes safe revokes.
5) Foundation — consistent language via /primacy-of-language; cataloged in the Codex.