SaaS lifecycle workflows: what IAM teams need to tighten

TL;DR: A trigger-condition-action workflow model for onboarding, offboarding, access reviews, and license management across SaaS apps is described by Josys, and a study found that 89% of former employees still retained access to at least one application from a previous employer. The governance gap is not the lack of automation, but the lack of reliable lifecycle closure across dozens of disconnected systems.

NHIMG editorial — based on content published by Josys: End-to-End Access Management Using Josys Workflows

By the numbers:

• 89% of former employees still retain access to at least one application from their previous employer.

Questions worth separating out

Q: How should security teams automate SaaS onboarding and offboarding without losing control?

A: Security teams should anchor automation to authoritative lifecycle events, then require each workflow to prove that access changed in every downstream application.

Q: Why do former employees still keep access after offboarding in many organisations?

A: Former employees keep access because offboarding is often treated as a task list instead of a closed lifecycle control.

Q: How do organisations know whether access review processes are actually working?

A: Access reviews are working only if reviewer decisions reliably produce downstream entitlement changes.

Practitioner guidance

• Bind workflow triggers to authoritative lifecycle events Use HR, directory, and ITSM events as the only approved triggers for onboarding, mover, and leaver workflows, and document which source of truth owns each decision.
• Wire offboarding to confirmed revocation outcomes Do not treat a completed workflow as proof of deprovisioning.
• Use shadow account discovery as a lifecycle exception queue Treat unmanaged accounts and apps as unresolved lifecycle cases, not just hygiene findings.

What's in the full article

Josys' full blog post covers the operational detail this post intentionally leaves for the source:

• The exact trigger-condition-action workflow structure used to automate access changes across SaaS apps
• The list of ready-to-use use case templates for onboarding, offboarding, shadow user management, and access reviews
• The integration path for webhooks, manual triggers, Jira tickets, emails, and HTTP requests into one workflow
• The platform-specific detail behind its native integrations and AI integration builder

👉 Read Josys' blog post on end-to-end access management workflows →

SaaS lifecycle workflows: what IAM teams need to tighten?

Explore further

View Full Forum →  |  NHI Foundation Course →