Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt

Use this file to discover all available pages before exploring further.

Sarah got promoted last month. She was a Sales Development Rep; now she’s an Account Executive. Different team, different manager, different tools, different access needs. HR updated her title in Workday. The change synced to Okta. Her email signature got updated. Her LinkedIn shows the new role. But here’s what didn’t happen:
  • Nobody removed her from the SDR Slack channels
  • Nobody removed her from the SDR Google Groups
  • Nobody removed her access to the SDR-specific Salesforce dashboards
  • Nobody added her to the AE Slack channels
  • Nobody added her to the AE Google Groups
  • Nobody added her to the AE-specific tools
It’s been a month. Sarah figured out most of the access she needed through trial and error and access requests. She still has all her old SDR access—she just doesn’t use it anymore. Nobody noticed. Nobody submitted a ticket. Nobody’s tracking it. This is the mover problem. And it’s happening in organizations everywhere, right now.

The Forgotten Middle: Joiners, Movers, Leavers

Identity lifecycle management focuses on three stages: Joiners (onboarding), Movers (role changes), and Leavers (offboarding). Most organizations have reasonable processes for two of these and completely neglect the third.
1

Joiners get attention

They’re visible. Someone new shows up. They need access. If they don’t get it, they complain. A natural forcing function exists.
2

Leavers get attention

The stakes are obvious. Someone leaves the company. Their access must be revoked. Security audits specifically look for terminated employees with active accounts. Compliance pressure is direct.
3

Movers get ignored

They’re invisible. The person is still employed. They still have an account. Nothing is obviously broken. The gaps only surface if someone specifically looks—and nobody’s specifically looking.
But movers are where the real risk accumulates.
The joiner-mover-leaver lifecycle is a core control expectation in SOC 2 and ISO 27001. Auditors specifically test whether role changes trigger access reviews. When movers retain previous-role access indefinitely, it creates findings for CC6.2 (logical access controls) and A.9.2.5 (review of user access rights). The mover problem is an audit finding waiting to be discovered.

The Dual Problem: Old Access and Missing Access

When someone changes roles, two things should happen and usually don’t:
1

Old access should be removed

The SDR doesn’t need SDR tools anymore. Keeping that access violates least privilege. It’s a compliance risk. It’s a security risk if credentials are compromised. But removing access requires someone to know what to remove and actually do it.
2

New access should be granted

The new AE needs AE tools. Missing access creates productivity loss and access request volume. But granting access requires someone to know what to grant and actually do it.
In practice, neither happens reliably: The old access persists because no one proactively reviews what should be removed. The new hire checklist doesn’t have a “remove old stuff” section. And the employee isn’t going to submit a ticket asking to lose access. The new access gets granted piecemeal through access requests. The employee discovers what they’re missing over days or weeks, submitting requests each time. By the time they have everything they need, hours of productivity and IT time have been burned. This is the worst of both worlds: over-privileged (keeping old access) and under-equipped (missing new access) at the same time.

Why Movers Are Harder Than Joiners

With a new hire, the starting point is zero. Whatever access they get is being added. The checklist, flawed as it is, covers “what to add.” With a mover, the starting point is their existing state. IT teams need to know:
  • What access does this person currently have?
  • What access should they have in their new role?
  • What’s the delta—what needs to be added and what needs to be removed?
This requires knowing two things most organizations don’t track well: complete current access inventory and complete role-based access expectations. Without knowing what access someone currently has across all systems, the removal calculation can’t happen. Without clear policies for what each role should have, the addition calculation can’t happen. So movers become a manual puzzle-solving exercise that nobody has time for, which means it doesn’t happen, which means access accumulates.

Access Accumulation: The Creeping Risk

Consider someone who’s been at an organization for five years and changed roles three times:
  • Year 1: Joined as Support Analyst. Got Support access.
  • Year 2: Moved to Support Team Lead. Kept Support access, added Team Lead access.
  • Year 3: Moved to Operations Manager. Kept everything, added Operations access.
  • Year 4: Moved to IT Systems Administrator. Kept everything, added IT Admin access.
  • Year 5: Current state—has Support + Team Lead + Operations + IT Admin access.
They don’t need Support access anymore. They definitely don’t need the Team Lead access for a team they haven’t managed in three years. But nobody’s removed it. Nobody’s reviewed it. It’s just there. Now multiply this by every employee who’s changed roles. Multiply by every year they’ve been employed. Multiply by every system with role-based access. This is accumulated access. It grows silently over time. It represents both compliance risk (access beyond job requirements) and security risk (larger blast radius if the account is compromised). When auditors ask “does everyone have access appropriate to their current job function?”—accumulated access is why the honest answer is often “we don’t actually know.”
Access accumulation directly contradicts least-privilege principles required by SOC 2 CC6.1 and ISO 27001 A.9.1.2. Auditors sample users with long tenure and multiple role changes specifically to test for this pattern. Each role transition without access review is a control gap. The finding writes itself: “User retained access from previous roles without documented business justification.”

The Manual Solutions Don’t Scale

Organizations try to solve the mover problem through manual processes:
1

Role change checklists

Like onboarding checklists, but for transitions. Same problems—always out of date, require manual effort, don’t cover edge cases.
2

Manager responsibility

“When an employee changes roles, review their access.” Managers don’t have visibility into what access exists. They don’t have time. They approve requests; they don’t audit existing access.
3

Annual access reviews

Once a year, ask managers to certify their employees’ access is appropriate. Managers rubber-stamp because the lists are too long and the context is missing. Real issues don’t surface.
4

IT-initiated audits

Periodically review access for specific systems. Resource-intensive, point-in-time, usually triggered by an audit finding rather than proactive prevention.
None of these scale. None of them provide real-time accuracy. None of them actually solve the problem—they just create checkboxes that let organizations claim they tried.

Policy-Based Movers: Automatic Recalculation

Here’s how policy-based access handles movers differently: Instead of “run a checklist when someone changes roles,” the system continuously evaluates “does this person’s current attributes match this Ruleset’s conditions?” When Sarah’s title changed from “Sales Development Rep” to “Account Executive,” her attributes changed in the directory. The policy engine re-evaluates every Ruleset she’s attached to: SDR Team Ruleset: Condition is title contains "Sales Development". Sarah no longer matches. She’s marked for removal from SDR resources. AE Team Ruleset: Condition is title contains "Account Executive". Sarah now matches. She’s marked for addition to AE resources. No checklist. No manual review. No ticket. The system recalculates membership based on current attributes and adjusts access accordingly. This happens automatically, on the next sync cycle, for every system governed by policy. Sarah’s access reflects her current role, not her historical accumulation of roles.

Graceful Deprecation: Avoiding the “Oops” Problem

Immediate access revocation on role change can cause problems. What if the attribute change was a mistake? What if there’s a transition period? What if Sarah is still wrapping up SDR work for another week? This is why a good policy engine supports graceful deprecation—a configurable period between “no longer qualifies” and “actually removed.” Here’s how it works:
  1. Sarah’s attributes change. She no longer matches the SDR Ruleset conditions.
  2. Instead of immediate removal, her membership is set to expires_at = 30 days from now.
  3. For the next 30 days, she still has access—but it’s flagged as expiring.
  4. IT can review expiring access and either accelerate removal (it’s correct, remove now) or extend it (she needs more transition time).
  5. After 30 days, if no action is taken, access is automatically removed.
This grace period prevents the “we changed her title and she lost access to everything mid-project” panic. It gives IT visibility into what’s about to change. And it still ensures access doesn’t persist indefinitely. The default grace period is configurable—30 days works for some organizations, 7 days for others, 90 days for roles with long transitions. The point is that the policy engine handles the lifecycle automatically while giving humans appropriate oversight.
Graceful deprecation with documented expiration dates satisfies auditor requirements for access outside standard policy. The audit trail shows: when the attribute changed, when the grace period started, whether IT reviewed it, and when access was removed. This creates defensible evidence for SOC 2 CC6.2 and demonstrates controlled exception handling rather than access drift.

What Movers Look Like with Policy-Based Access

Let’s replay Sarah’s promotion with policy-based access: Day 0: HR updates Sarah’s title from “Sales Development Rep” to “Account Executive” in Workday. Day 0 + sync cycle: The change flows to Okta. Provisionr’s directory sync picks up the attribute change. Rulesets are re-evaluated. Automatic results:
  • Sarah no longer matches SDR Rulesets → memberships flagged for deprecation
  • Sarah now matches AE Rulesets → memberships added
  • Downstream syncs update Google Groups, Slack, GitLab, Okta apps
Day 1: Sarah signs in. She already has AE access. SDR access is still active (grace period) but she’s not using it. Day 30: SDR access is automatically removed. Sarah likely doesn’t notice because she hasn’t used it in a month. Audit trail: Complete record of when Sarah’s attributes changed, which Rulesets she matched before and after, when access was added and removed, and why. No scrambling. No tickets. No accumulated access. No compliance gaps.

The Manager’s View

With policy-based movers, managers finally have visibility they’ve never had. When someone on their team changes roles, they can see:
  • What access the person is losing (and when it will be removed)
  • What access the person is gaining (already provisioned or pending)
  • Any discrepancies between expected and actual access
If the transition needs adjustment—extend access to a resource for a handoff period, or accelerate removal because it’s definitely not needed—the manager can request it. But they’re not starting from scratch, trying to figure out what access exists. The system shows them the current state and the expected changes. They’re approving or adjusting a proposed transition, not constructing one from nothing.

Closing the Mover Gap

Movers are the forgotten middle of identity lifecycle. They create silent risk through access accumulation. They burden IT with preventable access requests. They frustrate employees who can’t get what they need for their new role. The solution isn’t better checklists or more frequent audits. The solution is policy-based access that recalculates membership when attributes change. When access policies are defined as “who should have this based on their current role,” movers handle themselves. The system adapts to reality. Humans provide oversight, not manual execution. Organizations can stop scrambling every time someone changes teams. Let the policy engine do what it’s designed to do.
Next up: a specific case study of where role changes create the most chaos. It’s the sales team. Frequent reorgs, territory changes, and title shuffles make sales access management uniquely challenging—and a perfect test case for policy-based automation.
Ready to solve the mover problem? Learn how graceful deprecation works in Provisionr