MC-Teck are the JML Experts
What is JML?
JML is a “Joiner Mover Leaver” process which supports the lifecycle of your staff login accounts.
This begins with Joiner. When a colleague joins your business, the JML process will create their user object and make sure they have the relevant access they need to do their job.
When a colleague transitions to a new role, the Mover process will amend their access so that they can access the resources they need for this role, whilst simultaneously removing any access they no longer require, preventing access creep.
Finally, when a colleague leaves your business, the Leaver process will disable their accounts, remove all access and remove their licences; leaving your business in a secure state and keeping your licence costs to a minimum.
MC-Teck delivers JML onboarding and lifecycle processes, ensuring seamless user transitions, reduced risk, and consistent policy enforcement.
The Challenges of not Having a Joiner Process
Without a functional Joiner solution, when a colleague joins your business there is a manual process for them to have an account created. That account must then be added to the correct security and email groups, ensuring the joiner can get the information they need, access the resources they require and get the correct licences for their role.
However, the manual process can often be mis-read or mis-followed, resulting in the colleague being added to the wrong security groups. Suddenly your new receptionist has access to payroll data.
Additionally, it’s common for the request to state that the new colleague needs the same access as an existing colleague; however, during their time in your company the colleague has moved around and their access was never revoked, resulting in both colleagues having access to sensitive data they don’t need.
Compare this to a compete Joiner solution where the colleague is created in one of two ways
You don’t have a human resource system, so instead there’s a simple form which asks for the name and job details of the new colleague. When the hiring manager (or HR person, or any trusted employee) fills out this form, the account is created and again, based on their job details, the new colleague is given access to only the resources and licences required.
Your HR team enters the new colleague’s information into your human resource system (Success Factors, Workday etc.). This information is then used to automatically create the user’s account and based on their job title, department and grade, they are assigned the correct licences and added to the appropriate security and email groups with no requirement for human intervention.
Why Do I Need a Mover Process?
When a colleague moves from one role to another, the Mover process comes into its own.
Without a Mover process, someone needs to manually review all of the security and email groups the colleague is a member of, remove any related to their old role, and add them to the appropriate ones for their new position. Depending on the size, complexity and age of your business, removing legacy access can be a very large task and one which is often either done incompletely or overlooked entirely.
Implementing an automatic Mover process simplifies this, making sure that these transitions are as smooth as possible and that access creep (retaining legacy access) is a thing of the past.
Having a Mover process in place also helps with project delivery as you can be sure that all accounts have up-to-date information. So if you are delivering a new finance system, you can be certain that those colleagues identified as finance by job role or department are exactly that. Without this information certainty, the project will take longer and cost more because of the time and effort required to clean up and validate the colleagues.
What are the Risks in not Having a Leaver Process?
The Leaver process is quite simply the most important part of any JML solution. It’s the process which most helps ensure the IT security of the business and can help save a lot of money, but it can’t function without good data behind it – and that relies on the Joiner and Mover processes being in place.
Without a Leaver process, companies can get into real trouble with
Licence creep – colleagues leave, and their accounts are disabled but never deleted. This can result in the account retaining the licences assigned which results in additional, unnecessary costs to your business. Each licence may not be expensive individually, but the costs can quickly rack up when you’ve had a few leavers.
Account retention – when colleagues leave, their accounts are simply not removed and, in many cases, they aren’t even disabled. This leaves unmonitored access to company information which in turn exposes the company to security risks. At the very least, when a colleague leaves their account needs to be disabled to stop them continuing to access internal resources.
Even if the account is disabled, if it’s not deleted in a timely manner, there is a real risk of that account being incorrectly re-enabled and the credentials being passed to a bad actor who then has unmonitored access to your information.
Additional accounts – there are always times when additional accounts are needed for elevated privileges or testing purposes.
One of the biggest security risks I encounter, and more frequently than you might think, is admin accounts being left in an enabled state when the colleague has left. Just image what these accounts could have access to. If the leaver was someone in a senior IT position, the account could have access to your entire IT estate.
With a complete JML solution in place, these accounts are linked so that when the colleague leaves not only is their primary account deprovisioned but also all their Admin accounts are automatically deprovisioned along with it.
Temporary accounts are often forgotten about but can retain access to key systems, present unmonitored access issues and sometimes hold a licence. JML links these accounts to the person requesting them and then requires regular confirmation that the account is still in use. If the requirement isn’t confirmed, the account is deleted.
Identity and Access Management
Identity and Access Management (IAM) takes JML to the next level. Along with the processes included in JML, IAM can be used to provide access to systems and resources only for the duration of time required to perform a function.
It is also capable of obfuscating the login name to key systems, or generating temporary accounts for one time use, further securing your environment.
If you are interested in implementing a JML or IAM solution, or would just like to know more, please drop me a line and we can discuss how MC-Teck can help you achieve your aims.
