Joiner–mover–leaver access drift; Workday–Okta rules?based provisioning and access reviews aligned entitlements

Overview

A university’s identity lifecycle created access drift because joiner?mover?leaver events were handled inconsistently across Human Resources, the registrar, and downstream applications. Provisioning was driven by tickets and email, groups accumulated stale members, and offboarding lagged for student workers and adjuncts. Intelligex connected Workday and Okta to a rules?based provisioning engine, enabled SCIM provisioning to major applications, and instituted periodic access reviews with clear ownership. Joiner?mover?leaver accuracy improved, privilege escalations became less frequent, and approvals for role changes moved faster—while Workday, Okta, and campus systems remained in place.

Client Profile

• Industry: Higher education (university)
• Company size (range): Multi?college campus with central IT and distributed departments
• Stage: Workday for HR; Okta as the identity provider; provisioning and access reviews handled through tickets and spreadsheets; varied downstream apps across academic and administrative units
• Department owner: IT & Infrastructure (Identity & Access Management)
• Other stakeholders: HR/Workday, Registrar, Information Security, Department Administrators, Research IT, Library Systems, Internal Audit, Legal/Privacy

The Challenge

Identity events were constant and nuanced. Faculty appointments changed each term, adjuncts and student workers started and stopped frequently, and staff moved between schools and centers. Each change required manual updates to groups and app entitlements. Tickets requested role adjustments after the fact, and emails approved temporary access without a durable trail. As a result, people retained access they no longer needed, movers received inconsistent permissions, and leavers were deprovisioned at different times depending on who owned the process.

Source data and tools were fragmented. Workday held authoritative employment and job data, while registrar systems tracked student statuses. Some apps consumed nightly flat files; others relied on ad hoc scripts. Okta contained groups that no one owned, and application admins created local roles for edge cases. Reporting who had access to what involved stitching together extracts, and periodic reviews were conducted as one?off campaigns that didn’t align with hiring or term cycles.

Risk and friction accumulated. Information Security saw privilege escalations and dormant accounts during audits, and department admins waited for approvals to move collaborators and researchers onto the tools they needed. Offboarding steps for departing workers were uneven, and exceptions piled up as leadership made case?by?case decisions.

Why It Was Happening

Root causes were the absence of a canonical role model and a governed lifecycle. HR and registrar data were authoritative but not unified, and Okta groups reflected historical projects more than current roles. There was no rules engine to translate Workday events into entitlements based on department, appointment type, and affiliation, and no standard SCIM provisioning to propagate changes to applications. Access reviews were episodic and manual, so drift persisted between review cycles.

Ownership and timing were misaligned. HR captured real?time employment changes, the registrar managed academic statuses, department admins controlled local roles, and IT handled tickets. Without a workflow that joined these sources and enforced approvals under change control, identity changes translated into late or uneven access updates and a growing backlog of exceptions.

The Solution

Intelligex implemented a rules?based provisioning pipeline anchored on Workday as the source of truth and Okta as the identity and policy engine. Attribute? and role?based rules mapped job and academic attributes to application entitlements; downstream systems received updates through SCIM where available; and SAML/OIDC centralized authentication. Periodic access reviews targeted high?risk apps and roles, and movers and leavers triggered automatic deprovisioning with safeguards. Approvals for exceptions flowed through a queue with owner accountability. The design leveraged Workday HCM, Okta Identity Governance, and SCIM provisioning principles as defined in RFC 7644, aligned to control concepts in NIST SP 800?53.

• Integrations: Workday events for hires, transfers, and terminations; Okta for identity, MFA, SSO, and group policy; SCIM connectors for Google Workspace, Microsoft 365, ServiceNow, Canvas, and other campus systems; registrar data for academic status; notifications and approvals via collaboration and ticketing tools.
• Canonical identity model: Unified person record with affiliations (employee, faculty, student, contractor), department and school, job and appointment details, and lifecycle status; owner metadata for groups and entitlements.
• Provisioning and deprovisioning rules: Finance?grade change control for role maps; attribute?based logic to grant or revoke app roles and groups; safeguards for critical roles; timed grace periods where policy required.
• Access reviews: Periodic certifications for high?risk apps and privileged roles; dean/department head review flows; reason codes and evidence capture; remediation routed back to provisioning.
• Exception handling: Maker?checker approvals for out?of?policy access; break?glass with time?bound tokens and post?use review; segregation of duties enforced.
• Controls and monitoring: Immutable logs of events, rule evaluations, approvals, and app updates; drift detection for manual changes in downstream apps; dashboards for joiner?mover?leaver posture and review status.
• Security and privacy: Least privilege by default; role?based access to identity data; suppression of sensitive fields where not required for decisions; audit?ready exports.

Implementation

• Discovery: Cataloged current Workday attributes, registrar feeds, and Okta groups; inventoried downstream apps and provisioning methods; reviewed joiner?mover?leaver timelines and exception patterns; gathered audit and privacy requirements; identified owners for roles and entitlements.
• Design: Defined the canonical identity model and attribute mapping; authored role and entitlement rules with effective dating and rationale; specified SCIM provisioning, SAML/OIDC patterns, and drift detection; designed access review cadences, approver tiers, and exception workflows; planned dashboards and evidence exports.
• Build: Implemented Workday event ingestion and normalization; configured Okta groups, lifecycle policies, and SCIM connectors; built the rules engine and approval paths; enabled registrar status joins; set up drift detection for manual app changes; assembled dashboards and audit logging.
• Testing/QA: Ran in shadow mode: processed live identity events and generated draft provisioning outcomes while tickets continued; reconciled results with department admins; tuned role maps and grace periods; piloted access reviews for a subset of apps; validated exception handling and break?glass flow.
• Rollout: Activated automated provisioning for foundational apps first; retained manual tickets as a controlled fallback; expanded to additional systems and roles as stability grew; enforced mandatory access reviews for privileged roles post?training.
• Training/hand?off: Delivered sessions for HR, registrar staff, department admins, and IT on reading role maps, approving exceptions, and conducting reviews; updated SOPs for hires, transfers, terminations, and seasonal appointments; transferred ownership of rules and review cycles to Identity & Access Management under change control.
• Human?in?the?loop review: Established recurring governance to refine role definitions, review exceptions and escalation trends, and adjust grace periods; decisions recorded with rationale and effective dates.

Results

Provisioning and deprovisioning aligned with reality. Workday and registrar events drove Okta changes directly, SCIM kept downstream apps synchronized, and movers received the right access at the right time. Department admins saw faster responses to role changes because approvals and ownership were clear, and leavers lost access according to policy with documented grace periods where required.

Governance and audit readiness improved. Access reviews focused on high?risk roles, exceptions were visible and time?bound, and logs tied every entitlement to the source event, rule, and approval. Privilege escalations declined as ad hoc groups were retired or assigned owners, and break?glass usage followed a controlled path. HR, registrar, and IT kept their tools; the addition was a rules?based lifecycle and review layer that reduced drift and made decisions traceable.

What Changed for the Team

• Before: Tickets and emails drove access changes. After: Workday and registrar events triggered rules?based provisioning in Okta with SCIM to apps.
• Before: Groups accumulated stale members. After: Lifecycle policies and access reviews removed entitlements when affiliations changed.
• Before: Movers waited for manual approvals. After: Attribute?based rules granted and adjusted access with approver sign?off where policy required.
• Before: Offboarding timing varied by team. After: Deprovisioning followed a single policy with documented grace periods and logs.
• Before: Exceptions lived in inboxes. After: Maker?checker approvals and time?bound break?glass were recorded and monitored.
• Before: Audit packs were assembled by hand. After: Evidence exports tied roles and app updates to events, rules, and approvals.

Key Takeaways

• Start with a canonical identity model; unify HR and registrar attributes before mapping entitlements.
• Automate the lifecycle; drive provisioning and deprovisioning from source events using RBAC/ABAC and SCIM.
• Keep humans in the loop; require approvals for exceptions and certify high?risk roles on a schedule.
• Detect and prevent drift; monitor manual app changes and retire unmanaged groups.
• Document the why; version role maps and capture rationale, owners, and effective dates.
• Integrate, don’t replace; keep Workday, Okta, and campus apps, and add a governed lifecycle and review layer.

FAQ

What tools did this integrate with? Workday provided authoritative HR events, Okta handled identity, SSO, MFA, and group policy, and downstream apps integrated through SCIM and SAML/OIDC. Representative systems included Google Workspace, Microsoft 365, ServiceNow, and Canvas. Governance followed concepts in Okta Identity Governance and SCIM standards (RFC 7644).

How did you handle quality control and governance? Role maps and entitlement rules lived under change control with owners, rationale, and effective dates. Every identity event, rule evaluation, approval, and downstream app update was immutably logged. Access reviews certified high?risk roles and apps, and exceptions required maker?checker approvals with time?bound expiration and post?use review.

How did you roll this out without disruption? The engine ran in shadow mode, generating draft provisioning outcomes while existing ticket workflows continued. Differences were reconciled with department admins, rules and grace periods were tuned, and automated provisioning was enabled for a small set of apps first. Manual tickets remained a controlled fallback during early cycles.

How were complex affiliations modeled (faculty, staff, students, contractors)? The canonical model captured multiple affiliations per person with department, appointment type, and term. Attribute?based rules layered entitlements by affiliation and resolved conflicts through precedence, so movers and dual?affiliation users received the union of policy?approved access with safeguards for privileged roles.

How were periodic access reviews conducted? Certification campaigns targeted high?risk apps and roles, routed to deans or department heads as appropriate. Reviewers received focused lists with context and reason codes, and remediations fed back into provisioning to add or remove entitlements. Campaign outcomes, comments, and actions were logged for audit.

How did you handle exceptions and break?glass? Out?of?policy access requests flowed through an exception queue with reason codes and attachments. Approvals required maker?checker sign?off, entitlements were time?bound by default, and usage triggered alerts and post?use review. All exceptions appeared on dashboards and in periodic governance forums.