Lifecycle

JML — Joiner / Mover / Leaver

JML is the backbone of identity lifecycle management. Every person event triggers a predictable set of group changes.

Joiner (New Hire / Rehire)

1. Create user in the appropriate OU (/w2/w2-probation for new W-2 employees).
2. Add to People roster (prv-org-people-w2-active or appropriate variant).
3. Add to Team based on role/function.
4. Subscribe to Mail lists (announce, department news, all-staff).
5. Grant Role memberships as approved (time-boxed for elevated roles).
6. Provision system access via role group membership.
7. Promote from probation to active OU when onboarding + device compliance is met.

Mover (Role/Department Change)

1. Update primary_department and primary_team within 1 business day.
2. Remove from old Team. Add to new Team.
3. Swap mail list subscriptions (old department news → new department news).
4. Review Role memberships — remove roles that no longer apply; add new ones with approval.
5. Update drive access if team-level drive bindings change.

Leaver (Termination / Contract End)

1. Suspend account. Move to offboarded OU.
2. Remove from all Role groups (access revocation).
3. Remove from all Teams (except offboarded rosters).
4. Move to offboarded People roster (prv-org-people-w2-offboarded etc.).
5. Transfer content ownership (Drive files, Calendar).
6. License to archive tier (or zero).
7. Retain Vault holds per legal/compliance requirements.
8. Remove from all Mail lists.

Access Request Flow

All access changes follow the R-A-F-V pattern:

1. Request — Ticket with justification, scope, and requested duration.
2. Approve — Owner of the role group (or delegate) approves.
3. Fulfill — Add to role group. Document in ticket.
4. Verify — Confirm access works. Close ticket.

Defaults & Guardrails

• Default duration: 90 days for elevated roles. Renew with re-approval.
• Admin roles: Maximum 30 days. Require dual approval.
• Breakglass: Emergency-only. Two-person rule. Evidence required.
• No permanent elevated access without quarterly attestation.

Change Control

Change Categories

Category	Examples	Approval	Lead Time
Standard	New team, new mail list	Team owner	Same day
Normal	New role group, new customer engagement	PLT + relevant owner	1-2 business days
Sensitive	Admin role grant, new department, tenant change	PLT + SEC + Exec	3-5 business days
Emergency	Breakglass, incident response	Two-person rule	Immediate (post-incident review)

Process

1. Open ticket with category, justification, and scope.
2. Get required approvals.
3. Implement change.
4. Evidence (screenshots, GAM output, IaC commit).
5. Close ticket with verification.

Quarterly Controls

Every quarter, the following reviews must complete:

Required Reviews

Review	Owner	What to Check
Group ownership	PLT	Every group has >= 2 owners
Role attestation	Role owners	Members are still justified
OAuth/Marketplace	PLT + SEC	Allowlists are current
OU policy drift	PLT	Policies match canonical settings
Breakglass test	PLT + SEC	Keys work, process documented
External members	SEC	Zero externals on TEAM/STRICT
Automation scopes	PLT	DWD scopes still minimal
Mail list hygiene	PLT	Allowlists, moderation, directory

On-Call Interface

• Primary: On-call personnel receive alerts via prv-{owner}-alerts-* groups.
• Escalation: If on-call can’t resolve, escalate via Slack/PagerDuty (not email).
• Post-incident: Document in ticket. Review alert routing effectiveness.