TL;DR: Automated user discovery, license management, provisioning, deprovisioning, and access reviews in Harvest show how SaaS administration and user lifecycle controls converge when teams need tighter governance over who can use time-tracking and invoicing functions, according to Zluri. The deeper issue is that manual access handling still creates avoidable privilege and offboarding gaps across identity programmes.
NHIMG editorial — based on content published by Zluri: Automation How to Get More Out of Harvest Via Zluri’s Integration?
By the numbers:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
Questions worth separating out
Q: How should organisations govern SaaS provisioning and deprovisioning?
A: Organisations should govern SaaS provisioning and deprovisioning as lifecycle controls, not as ad hoc admin tasks.
Q: Why do manual offboarding processes create identity risk?
A: Manual offboarding creates identity risk because it depends on people remembering every connected system and every entitlement path.
Q: How do access reviews help reduce SaaS sprawl?
A: Access reviews reduce SaaS sprawl by forcing teams to confirm whether active users, inactive users, and assigned licences still match business need.
Practitioner guidance
- Tie deprovisioning to the business event Make offboarding an enforced workflow, not an optional admin task, so access removal happens when employment or role change is recorded.
- Separate privileged app functions from standard access Treat billing visibility, invoicing, and other high-risk functions as distinct entitlements that require explicit role assignment and periodic review.
- Reconcile discovery against active user lists Use app discovery and licence reports to identify inactive users, stale assignments, and shadow app usage before renewal or audit cycles.
What's in the full article
Zluri's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step walkthroughs for configuring Harvest user provisioning and deprovisioning workflows.
- Practical examples of licence reassignment and inactive-user cleanup in a live SaaS admin flow.
- Details on billable-rate access controls for project managers and how those permissions are removed.
- Examples of user access review workflows that connect discovery output to entitlement decisions.
👉 Read Zluri's article on Harvest automation, provisioning, and access control →
Harvest provisioning and deprovisioning: what IAM teams need to know?
Explore further
Access lifecycle, not feature richness, is the real control boundary in SaaS governance. The Harvest example shows that the meaningful security question is whether access can be created, narrowed, and revoked as roles change. A tool may improve operational efficiency, but the programme succeeds or fails on whether entitlements are kept current. Practitioners should treat lifecycle correctness as the control objective, not admin convenience.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how often discovery and governance remain disconnected.
A question worth separating out:
Q: Who should approve access to sensitive application functions?
A: Sensitive application functions should be approved by the role owner, not inherited automatically from basic application access. If billing visibility, invoice creation, or similar actions carry financial impact, they need explicit entitlement approval and periodic revalidation. That keeps high-risk capabilities tied to present job function rather than historical access.
👉 Read our full editorial: Harvest access governance via Zluri and the identity gap it exposes