SaaS access permissions in lifecycle workflows: what changes for IAM?

TL;DR: Manual ticketing cannot keep pace with SaaS access changes across onboarding, role changes, and offboarding, according to Zluri’s guide to user lifecycle management. The governance issue is not just speed but whether access can be granted, changed, and revoked before privilege drifts beyond reviewable control.

NHIMG editorial — based on content published by Zluri: Access Management, how to manage user access and permissions in SaaS applications

By the numbers:

• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• NHIs outnumber human identities by 25x to 50x in modern enterprises.

Questions worth separating out

Q: How should organisations automate SaaS access requests without losing control?

A: Automate only the parts of the workflow that are policy-backed and attributable to authoritative identity data.

Q: Why do role changes create access risk in SaaS environments?

A: Role changes often leave the old access in place while new access is added, which creates privilege creep.

Q: What breaks when offboarding is handled manually?

A: Manual offboarding often misses one or more connected SaaS applications, especially when the user has accumulated access across teams or departments.

Practitioner guidance

• Tie provisioning to authoritative identity events Use HR or identity source changes to trigger access actions automatically, and verify that onboarding, role change, and offboarding each map to explicit entitlement rules.
• Unify move, add, change, and leave workflows Treat onboarding, mid-lifecycle change, and deprovisioning as one governed lifecycle so that access does not remain active simply because the user state changed in a different system.
• Restrict self-service requests to approved catalogs Limit app requests to applications with documented ownership, approval criteria, and review cadence so that self-service does not become uncontrolled entitlement expansion.

What's in the full article

Zluri's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step workflow configuration for onboarding, role change, and offboarding in the Zluri interface
• App catalog and request flow mechanics for employee self-service approvals
• Specific action sequencing for adding tasks, saving playbooks, and scheduling lifecycle changes
• User interface steps for verifying identity and selecting recommended actions across SaaS apps

👉 Read Zluri's guide to managing SaaS access and permissions →

SaaS access permissions in lifecycle workflows: what changes for IAM?

Explore further

View Full Forum →  |  NHI Foundation Course →