If your first 30 days still depend on someone manually adding app access in Okta, you don't have an onboarding process. You have a queue with a nicer name, and streamlining new hire onboarding won't happen until access stops being treated like random admin work.
I've seen this go sideways a bunch of times. A new hire starts Monday, their manager assumes everything is ready, IT assumes the manager requested the right apps, Security assumes access is temporary, and Finance assumes licenses aren't being handed out forever. Cute little assumption pile. Expensive too.
Key Takeaways:
- New hire onboarding breaks when access requests live in Jira, Slack, email, and the identity provider at the same time.
- The real bottleneck usually isn't account creation. It's unclear ownership, vague role bundles, and access that never expires.
- If IT spends more than 10 minutes per routine access request, automate the request path before buying another governance portal.
- Treat onboarding like a bill of materials: every role gets a defined app set, approval path, license owner, and expiry rule.
- Usage data matters after day 30. Unused licenses should trigger warnings, then reclamation, not another spreadsheet project.
- Jira and Slack work better as the front door because employees already use them. Separate portals create more drift.
- If you want to see access requests, approvals, and provisioning stay inside Jira, Learn more about Multiplier.
Why New Hire Onboarding Breaks Inside Access Queues
New hire onboarding breaks when access ownership is split across too many places. Jira captures the request, Slack carries the chase, the identity provider holds the control, and a spreadsheet becomes the audit record. Once those systems drift, speed and governance both lose.
The Monday Morning Access Pileup
At 9:12 AM on a Monday, a workplace technology manager opens Jira and sees 37 access tickets from new hires. Half of them say things like “need marketing tools” or “same access as Priya.” Two managers are in offsites, one app owner left the company, and someone has already pinged IT in Slack because their new analyst can't get into the data warehouse.
Sound familiar? I don't think onboarding fails because IT teams are lazy or slow. Most of the time, they're stuck translating vague requests into real identity changes while everyone else sees a simple ticket. One access request might require checking the employee's department, confirming the manager, finding the right Okta group, asking an app owner, assigning the license, updating the Jira issue, and then saving enough evidence for audit later. That's a lot of tiny moves for something people expect to happen instantly.
A useful diagnostic is simple. Pull 20 onboarding-related access tickets from the last month and count how many had enough information for IT to act on the first read. If fewer than 15 were complete, your intake is the problem. If 15 or more were complete but still took more than one business day, your approval or provisioning path is the problem. Different fix. Same queue.
Why Separate Portals Make the Problem Worse
Separate access portals sound reasonable because identity governance feels like a specialized function. Fair. Dedicated IGA systems can make sense in large enterprises with complex policy teams, heavy segregation of duties, and long implementation cycles. The catch for high-growth companies is that new hire onboarding happens inside the service desk first, not inside a governance portal.
When employees already live in Jira Service Management and Slack, a separate portal becomes a second front door. People don't remember where to go, managers approve in the wrong place, and IT ends up reconciling systems by hand. Atlassian has been leaning into employee service management for exactly this reason, with companies using Jira Service Management to manage employee lifecycle work across onboarding, changes, and offboarding, as covered in Atlassian's Vuori employee lifecycle story.
The pattern is basically airport baggage routing. If every bag has one barcode and one system of record, the airport can move thousands of bags without asking every passenger where their suitcase went. If bags move through five handwritten lists, someone eventually finds a suitcase in Denver that should've gone to Boston. Access works the same way. One request record should carry the approval, the entitlement change, the expiry, and the audit trail.
The Cost Isn't Just IT Time
The cost of bad onboarding access isn't only the 5 to 30 minutes IT spends per request. The bigger cost is the drag across the whole first week. A new hire waits for a tool, the manager gets distracted, Security inherits standing access, and Finance pays for licenses that may never be used.
A fintech company that grew to nearly 1,200 employees saw hundreds of routine access requests coming through Slack, email, and Jira. IT had to chase approvals and manually assign Okta groups. That kind of setup doesn't look broken at 100 people. At 1,000, it becomes a daily tax. We were surprised by how often the “access problem” is actually a cost problem in disguise, especially when unused SaaS seats stay active long after onboarding.
The emotional part matters too. Nobody joins a company excited to file tickets on day one. And nobody in IT wants to spend Tuesday copying people into groups because Monday's onboarding batch missed half the information. Access should feel boring. When it doesn't, the next question is pretty obvious: what would a clean onboarding access system actually look like?
How to Build a Cleaner New Hire Access System
A cleaner new hire access system starts by defining access before the employee arrives. The work is role mapping, request design, approval routing, and automated removal. Get those four pieces right and streamlining new hire onboarding becomes much less about heroics.
Diagnose Whether You Have an Intake Problem or a Governance Problem
Before changing tooling, classify the mess. Ask five questions about your last 30 new hires: did their manager request access before day one, did the request include role and duration, did the right approver act within 24 hours, did provisioning happen through the identity provider, and did anyone review unused access after 30 days? If you miss two or more, your process isn't mature enough for more policy. It needs cleaner mechanics.
I like this test because it prevents teams from buying the wrong fix. If requests arrive incomplete, a better approval engine won't save you. If approvals happen quickly but IT still manually assigns groups, intake isn't the issue anymore. If provisioning works but access never expires, you've got a least privilege problem hiding inside a successful onboarding process. Different stage. Different move.
Run the check in buckets:
- 0 to 1 misses: tighten edge cases, especially elevated access and contractors.
- 2 to 3 misses: standardize role bundles and approval paths before adding more controls.
- 4 to 5 misses: rebuild onboarding access around a single system of record.
- Unknown answers: start with measurement, because missing data is already a governance problem.
Build Role Bundles Like a Bill of Materials
Manufacturers don't build products by asking the assembly line what parts feel right today. They use a bill of materials. New hire onboarding needs the same discipline: each role gets a defined access bundle, and every app in that bundle has an owner, approval rule, license type, and removal condition.
The mistake I see is treating role-based access like a giant upfront architecture project. That almost never works. Start with your top 10 roles by hiring volume, because those produce the most repeatable access requests. For each role, write down the apps required on day one, the apps requested during week one, and the elevated access that should require a time limit. Not perfect. Just useful.
A good threshold: if an app appears in more than 70% of requests for a role, include it in the default bundle. If it appears in 30% to 70%, make it selectable during onboarding. If it appears in fewer than 30%, leave it as an ad hoc request with a clear approver. That one rule cuts a lot of debate because you're not guessing from memory. You're letting request history tell you what belongs in the bundle.
Move Approval Decisions to the People Who Actually Know
Approval chains fail when they route to impressive titles instead of useful owners. A VP might have authority, but the app owner knows whether the requester needs Admin or Viewer. The manager knows the job scope. Security knows which access should be temporary. Good onboarding routes different decisions to different people instead of making one person rubber-stamp everything.
There is a tradeoff here. More specific approvals can add steps. That's valid. If every app needs a custom approval chain, new hire onboarding becomes slow again, and nobody wants that. The trick is to split low-risk and high-risk access. Auto-approve standard day-one tools for common roles, route specialized apps to owners, and force elevated roles through stricter review or time-bound grants.
One practical rule: if an entitlement can expose customer data, production systems, financial records, or admin controls, don't make it standing access by default. Route it for approval and attach a duration. If it can't create meaningful risk and it's required by most people in that role, don't waste human approval time. This is where policy-heavy approaches often fail. They ask humans to approve too many obvious things, so humans stop paying attention.
Provision Through the Identity Provider, Not Side Notes
Provisioning should happen through your identity provider groups wherever possible. Okta, Entra ID, and Google Workspace already know who the user is, what groups they belong to, and what applications depend on those groups. Jira should carry the request and evidence, but the identity provider should be the place where access actually changes.
The before and after is pretty stark. Before, IT reads a Jira ticket, opens Okta, searches the user, finds the group, adds the person, screenshots the change, comments on the ticket, and hopes they picked the right group. After, the approved request maps to the right identity provider group and the ticket records the action. Fewer clicks. Fewer mistakes. Better audit trail.
NIST's access control guidance emphasizes account management, authorization, and removal as core controls, which lines up with this operational reality: access governance only works when approvals and entitlement changes are tied together, not scattered across notes and screenshots. You can see that in the NIST SP 800-53 access control family. The mechanism matters. If approvals live in one system and group changes happen somewhere else, every audit becomes a reconstruction exercise.
For teams evaluating the Jira-native path, See how Multiplier works when you want the request, approval, and identity provider action tied back to the same Jira record.
Put Expiry Dates on Access Before It Becomes Permanent
Access without an expiry date tends to become permanent by accident. Especially during onboarding. A new hire gets extra permissions to “get settled,” the manager forgets, IT moves on, and six months later that person still has access they needed for three days.
The fix is not telling people to remember cleanup. They won't. I wouldn't either. The fix is setting time limits at request time for anything elevated, sensitive, or experimental. If a new sales ops hire needs temporary admin access to clean up a CRM import, give them 24 hours or one week. If an engineer needs production database access for onboarding shadow work, make the access expire automatically.
Use a simple rule: any access granted outside the standard role bundle should either have an owner review date or an automatic expiry. For privileged access, default to 1, 6, or 24 hours depending on the task. For project-based access, default to 7, 30, or 90 days. Some teams will argue that expiry creates friction, and they're not entirely wrong. But friction at the request stage is cheaper than standing privilege that lingers for years.
Reclaim Licenses Based on Real Usage, Not Gut Feel
License cleanup after onboarding should use login activity, not vibes. A new hire may request five tools in week one, use two of them, and forget the rest. Multiply that across 200 hires and suddenly Finance is asking why SaaS spend keeps climbing even though headcount plans looked reasonable.
A good reclamation rule starts with inactivity thresholds. For standard SaaS apps, 30 days without login is usually enough to trigger a warning. For expensive or sensitive apps, use 14 days. For apps with quarterly usage patterns, use 60 or 90 days. The key is the warning step. Tell the user their access will be removed unless they log in or ask for an exception. Then remove it if nothing happens.
This is where streamlining new hire onboarding connects directly to SaaS waste. Onboarding doesn't end when the account is created. It ends when the company knows which access was needed, which licenses are active, and which entitlements should be removed. A clean process should produce three outputs after the first month:
- active tools the employee actually used
- unused tools that can be reclaimed
- elevated or temporary access that already expired
Keep the Audit Trail Inside the Original Work
Audit evidence should be created while the work happens. Not rebuilt later. If the request came through Jira, the approval happened in Slack, the group change happened in Okta, and the evidence got pasted into a spreadsheet, you've got four versions of the same story.
I get why spreadsheets happen. They're flexible, auditors understand them, and a team can make one fast when the deadline is close. Fair point. The downside is that spreadsheets reward cleanup after the fact instead of clean execution in the moment. You end up proving governance by assembling fragments instead of showing the original record.
A stronger pattern is to make the Jira issue the audit spine. The request, manager or app owner approval, identity provider group change, expiry, and revocation all tie back to the same record. Think of it like a medical chart. You don't want the diagnosis in one room, the prescription in another, and the discharge notes in someone's inbox. You want the story in one place, because that's how people trust it later.
How Multiplier Makes Access Work Inside Jira
Multiplier makes onboarding access easier by keeping requests, approvals, provisioning, expiry, and evidence inside Jira Service Management and Slack. It doesn't replace your identity provider. It uses Okta, Entra ID, or Google Workspace group mappings so access changes stay authoritative.
Jira-Native Requests With Identity Provider Provisioning
Multiplier starts with an Application Catalog in Jira Service Management, where employees can browse approved apps, select roles, and submit access requests without learning a new portal. The catalog syncs apps and groups from Okta, Entra ID, or Google Workspace, and each role can map to one or more identity provider groups. So when the Jira issue reaches the approved status, Multiplier can add the user to the mapped group and record the outcome back on the ticket.
That matters for streamlining new hire onboarding because intake and execution stop being separate chores. A manager isn't sending a vague Slack message. IT isn't copying someone into groups manually. The request has the app, role, approver, and record in Jira from the start. For companies like VideoAmp, where new hires created a Tuesday pileup of access requests after growing from 100 to 500 employees, the self-service catalog model gave IT a cleaner way to handle routine requests without routing people to another portal.
Multiplier also supports approval workflows through managers, app owners, or specified users, with decisions happening in JSM or Slack. The Slack app is useful because approvers can act from the tool they already check all day, while Jira remains the system of record. If your team wants that model inside your own service desk, Get started with Multiplier.
Time Limits, Reviews, and License Reclamation
Multiplier's Time-Based Access lets requesters choose a duration, such as 1, 6, or 24 hours, when time-bound access is enabled. After approval, access is provisioned through the mapped identity provider group, and then removed when the timer expires. That directly addresses the hidden onboarding problem where temporary access quietly turns into standing access.
For cost control, Auto Reclaim uses last-login data from connected identity providers to identify inactive users, send warning emails, and revoke access after the grace period if the user stays inactive. It also generates a Jira ticket documenting the removal. Important caveat: Auto Reclaim is available on the Advanced edition, and its accuracy depends on the login telemetry available from the identity provider. Still, the operating model is the right one. Don't ask IT to remember license cleanup. Build the cleanup into the system.
Access Reviews add another layer when quarterly or periodic certification is required. Reviewers can see user attributes, groups, last login, and recommendations in JSM, then choose Keep or Revoke. Revocations can remove users from relevant identity provider groups and create Jira evidence. That connects the whole loop: onboarding access, usage-based cleanup, and review-based governance. The cleaner the loop, the less your audit depends on memory.
New Hire Onboarding Gets Better When Access Has an Owner
Streamlining new hire onboarding doesn't start with another portal. It starts with one owner for the access path, one record for the request, and one mechanism for provisioning and removal. Jira is already where a lot of that work begins, so forcing identity governance somewhere else often creates more work than it removes.
The practical move is pretty simple. Pick your highest-volume roles, define their access bundles, route exceptions to the right approvers, provision through your identity provider, and reclaim unused licenses based on real login activity. Not glamorous. Just repeatable. And repeatable is what lets IT support growth without turning every Monday into another access fire drill.
Frequently Asked Questions
How do I set up the Application Catalog in Jira?
To set up the Application Catalog in Jira using Multiplier, start by navigating to your Jira Service Management (JSM) portal. From there, you can configure the catalog to display approved applications for your employees. Make sure to sync the applications from your identity provider like Okta or Google Workspace. This allows employees to browse and request access to applications directly within Jira, streamlining the process and ensuring that all requests are documented in one place.
What if my new hire needs access to a non-standard application?
If a new hire needs access to a non-standard application, you can enable the 'Other' option in the Application Catalog. This allows them to submit a request for applications not listed in the catalog. You’ll need to ensure that the request is routed to the appropriate approver for manual provisioning. Even though it might require some extra steps, this approach keeps the approval process consistent and documented within Jira.
Can I automate license reclamation for inactive users?
Yes, with Multiplier's Auto Reclaim feature, you can automate the process of reclaiming licenses from inactive users. You can set inactivity thresholds (like 30 days) and define grace periods for notifications. If a user exceeds the inactivity limit without logging in, Multiplier will automatically revoke their access and generate a Jira ticket documenting the removal. This helps optimize your SaaS spend and ensures that licenses are only assigned to active users.
When should I conduct access reviews for my team?
You should conduct access reviews periodically, typically every quarter, to ensure that users have the appropriate access levels. With Multiplier's Access Reviews feature, you can create campaigns that allow designated reviewers to assess user access based on criteria like last login dates and usage patterns. This process helps maintain security and compliance while ensuring that unnecessary privileges are revoked promptly.
How do I implement time-based access for sensitive roles?
To implement time-based access for sensitive roles, you can enable the Time-Based Access feature in Multiplier. When submitting a request, users can select a duration (like 1, 6, or 24 hours) for their elevated access. Once approved, the access is provisioned automatically and will expire after the selected duration, minimizing the risk of standing privileges. This ensures that sensitive access is granted only when necessary and is automatically revoked afterward.
