Identity Lifecycle Management Tools: A Complete Crash Course

Identity Lifecycle Management Tools: A Complete Crash Course

The most frustrating JSM implementations I saw at Atlassian were teams with perfect ITSM processes and completely broken identity lifecycle management. It's always the same pattern: perfect provisioning processes, terrible de-provisioning, and nobody tracking what happens in between. The problem wasn't the tools. It's that nobody understood what identity lifecycle management (ILM) actually required. ILM has unique requirements that standard ITSM wasn't built for. Complex approvals, automated provisioning, integration with identity providers, and above all, a completely different way of thinking about user identities and access management. Here's what identity lifecycle access management actually involves and the basic tools you need to make it work.

table of contents

The Full Identity Lifecycle Management Process

Identity management tools are designed for these three lifecycle phases:

1. Provisioning

Creating user accounts and assigning initial permissions when someone joins or needs new access. Access management maintenance also includes checking digital identities periodically to make sure people still need what they have. And also, cleaning up old permissions that built up over time.

Provisioning also covers granting new access rights when someone's responsibilities expand or they join new projects and request access accordingly.

2. Maintenance

Maintenance covers all changes that happen after initial provisioning, such as updating permissions when people change roles, departments, or responsibilities. Also includes regular reviews to verify people still need their current permissions to enhance security.

3. De-provisioning

Taking away access when people leave or don't need certain permissions anymore, and can be complete or partial.

Complete de-provisioning means shutting down their account, removing them from all groups, cutting off their application access, and cleaning up any system permissions they had. Partial de-provisioning happens when someone changes jobs but stays at the company - they lose access to old systems while keeping their main account.

Both are critical not just to the entire lifecycle, but to identity governance processes.

Where Identify Lifecycle Management Usually Breaks Down

In practice, organizations are really good at one phase and terrible at the other two. This is what I see at most companies regardless of the tools they use:

  • Provisioning works because it has to.
  • Most organizations handle user provisioning okay because HR processes force it. New employees can't work without access, so there's business pressure to create accounts quickly and similar identity related tasks.
  • Maintenance is hit-or-miss.
  • Maintenance happens inconsistently because there's no systematic tracking of role changes. People get promoted or switch departments, but updating their permissions depends on someone remembering to submit a ticket.
  • De-provisioning barely happens, if at all.
  • De-provisioning fails completely because nobody owns the existing systems. When someone leaves, IT disables their main account but misses their admin access, API keys, and cloud permissions.

Thing is, you can't fix them in isolation. A strong identity management process is a comprehensive process.

What is Identity Governance and Administration (IGA)?

When choosing identity lifecycle management (ILM) tools, look for key features related to IGA.

Identity Governance and Administration is the framework used to manage user identities and user access rights to meet regulatory requirements.

Think of it as a policy layer wrapped around access requests to cloud resources, user accounts, and managing credentials.

Watertight IGA implementation protects you from security risks like data breaches and boosts operational efficiency.

Access Reviews

Access reviews are periodic checks to verify people still need their current permissions. You pull reports showing what each person can access, send them to managers for approval, and revoke anything that's not actively confirmed.

Most access reviews happen quarterly. Critical systems with high-risk access might need monthly reviews to spot potential security breaches. Low-risk systems can be reviewed annually by security teams.

The key to ensuring compliance is making reviews actionable. Instead of sending managers a list of cryptic system roles, translate permissions into business language. "Can approve purchase orders up to $50,000" is clearer than "has GL_APPROVER_L3 role."

Entitlement Management

Entitlements are the specific permissions someone has within a system. Database read access, file folder permissions, application admin rights - these are all entitlements related to identity attributes.

Entitlement management means tracking these granular permissions across all your systems. Instead of just knowing John has access to the finance system, you know he can view reports but can't modify accounting data.

This granular tracking enables better access reviews to support compliance audits. It also helps secure access because you can quickly pinpoint who's accountable for incidents. Failure to do so is a common reason for compliance violations.

Segregation of Duties

Segregation of duties prevents one person from controlling an entire business process. The person who approves invoices shouldn't also be able to create vendor records. The developer who writes code shouldn't approve their own deployments.

Map your critical business processes and identify where single individuals have too much control and remove access. Then split those responsibilities across multiple people or add approval workflows.

Role-Based Access Control

Managing identities via role-based access control assigns permissions based on job functions, not random requests. For instance, instead of manually granting file access, database permissions, and application rights to each new marketing manager, you assign them the "Marketing Manager" role that includes all necessary permissions.

Roles reduce administrative overhead and ensure consistent access patterns. They also make access reviews easier because you're reviewing role assignments rather than individual permissions.

Build roles that match actual job functions in your organization. Generic roles like "PowerUser" tell you nothing about what someone actually does.

Access Management Components

Access management controls how users authenticate to systems and what they can do once authenticated, which is another cornerstone of the identity management lifecycle.

The best tools for lifecycle management will support the following key features regardless of the identity provider you use:

Authentication vs Authorization

Authentication proves identity. Authorization determines permissions.

Multi-factor authentication strengthens authentication by requiring multiple verification methods. Single sign-on centralizes authentication to reduce password management overhead.

Authorization happens after successful authentication. This is where role-based access control, entitlements, and permission assignments determine what authenticated users can access.

Single Sign-On Implementation

Single sign-on lets users authenticate once and access multiple systems without re-entering credentials. SSO improves user experience and security by centralizing authentication.

SSO works through identity providers that authenticate users and service providers that trust those authentication decisions. Common protocols include SAML, OAuth, and OpenID Connect.

The security benefit is centralized control. Disable someone's account in your identity provider and they immediately lose access to all connected systems.

Multi-Factor Authentication

Multi-factor authentication requires multiple verification factors: something you know (password), something you have (phone), or something you are (fingerprint).

Common MFA methods include authenticator apps, SMS codes, push notifications, and hardware tokens. Authenticator apps and hardware tokens are more secure than SMS because they're harder to intercept.

Require MFA for all administrative accounts and any system containing sensitive data. Don't create exceptions because "it's inconvenient" - getting breached is much more inconvenient.

Privileged Access Management

Privileged accounts have elevated permissions that can cause significant damage if compromised. Domain administrators, database administrators, cloud platform administrators, and service accounts often have privileged access.

Privileged access management applies additional controls to these high-risk accounts. This includes password vaults for credential storage, session recording for activity monitoring, and just-in-time access for temporary privilege elevation.

Just-in-time access provides elevated permissions only when needed and automatically removes them after a specified time period. This reduces standing privileges and limits exposure if accounts are compromised.

Digital Identity Types

Your organization manages several types of digital identities, each with different management requirements.

Employee Identities

Employee identities are the most straightforward to manage because they follow predictable lifecycle patterns tied to HR processes. New hires get provisioned, role changes trigger access updates, and terminations require de-provisioning.

The challenge is ensuring access changes happen quickly enough to support business operations while maintaining security controls.

Contractor and Partner Identities

External identities don't follow your normal HR processes. Contractors might work for multiple organizations simultaneously. Partners need access to specific systems but shouldn't see sensitive internal data.

These identities need special handling for provisioning, access reviews, and de-provisioning. They often require manual processes because they don't integrate cleanly with automated systems.

Service Accounts

Service accounts enable applications and systems to authenticate and access resources. They don't represent humans, so they don't follow normal identity lifecycle patterns.

Service accounts need different management approaches. They require password rotation, access monitoring, and inventory management to prevent orphaned accounts from accumulating.

Customer Identities

Customer identities let external users access your applications and services. These identities are typically self-service for registration and password management.

Customer identity management focuses on secure authentication, privacy compliance, and integration with business applications rather than internal access controls.

Basic Identity Lifecycle Management Tools

Effective identity lifecycle management requires tools that automate provisioning, access reviews, and de-provisioning across your entire environment.

Identity Governance Platforms

Identity governance platforms provide centralized management for identity lifecycles across multiple systems. These platforms connect to your HR systems, directory services, and business applications to automate provisioning and de-provisioning. They also provide access review workflows and compliance reporting.

Directory Services

Directory services store identity information and provide authentication services for connected systems. Active Directory dominates on-premises environments while Azure AD and other cloud directories handle cloud-based identities.

Directory services integrate with identity governance platforms to provide the underlying identity store and authentication mechanisms.

Privileged Access Management Tools

PAM tools provide additional security controls for privileged accounts. CyberArk, BeyondTrust, and Thycotic are leading PAM vendors.

These tools include password vaults for secure credential storage, session management for privileged access monitoring, and just-in-time access for temporary privilege elevation.

IT Service Management Integration

Identity lifecycle management works best when integrated with existing IT service management processes. This means connecting identity tools with your ticketing system, approval workflows, and change management processes.

Tools like Jira Service Management can handle identity requests alongside other IT services. This integration provides better visibility, consistent processes, and audit trails for identity-related activities.

Identity Lifecycle Management (ILM) Best Practices

Record All Existing Digital Identities and Access

Start by collecting all your user accounts and note their access rights. Go into each of your business apps - for instance, how many user identities are in Microsoft Active Directory, and which ones have privileged access control?

Phase Your Rollout

Focus on a specific part of access management and lock it down. Don't try to implement everything at once.

That might be as simple as the initial creation of employee accounts, which is the starting point of identity lifecycle management.

Or, go from the top down. Manage access for your most privileged user accounts first before you work on user identities without elevated access.

Add access reviews once basic lifecycle management for user identities is working. Implement advanced features like data analysis and just-in-time access management after core processes are stable.

Focus on Automation

Automation is essential to secure identity management. You'll want to get rid of manual processes as much as possible, which are the biggest danger to digital identities and access rights.

Set every part of your identity lifecycle management (ILM) on auto-pilot. That should include provisioning new user accounts that's automatically triggered by HR tickets, complete de-provisioning as part of offboarding, and access reviews executed on a fixed schedule.

Record, Monitor, Measure

When it comes to identity management, nothing is insignificant. Everything related to identities and access must be logged, complete with the who, what, when, how, and why.

Track key metrics like time to provision new accounts, percentage of access reviews completed on time, and number of orphaned accounts discovered during identity management audits.

Plan for Exceptions to Enhance Security

Not every identity fits standard patterns. Emergency access needs, contractor arrangements, and legacy system limitations require exception processes.

Document these exceptions clearly and review them regularly to ensure they don't become permanent workarounds that undermine your security posture.

Multiplier: Identity Lifecycle Management for JSM

Identity lifecycle tools are only as good as the processes behind them. Most teams buy ILM platforms that sit unused because they don't integrate with existing workflows.

As an Atlassian app, Multiplier connects identity lifecycle management directly to JSM workflows and identity provider.

Book a demo on our calendar - let's do a quick ILM audit to see where Multiplier can make the biggest impact for your identity management process.

You can also install Multiplier from Atlassian Marketplace for a free 14-day trial.

About the author

Amaresh Ray

Amaresh Ray is co-founder of Multiplier, an IT automation tool built for Jira Service Management trusted by organizations such as Indeed, Opengov and National Geographic.

Amaresh previously served on the Jira Service Management team at Atlassian, where he gained extensive expertise in IT service management and workflow automation.

Related Posts