Employee Lifecycle Automation Platform
In-house joiner, mover, and leaver automation that replaced a paid SaaS appliance with a consistent, auditable provisioning system for an organization of 650+ employees.
Project Brief
- Role
- Identity service owner and automation engineer
- Scope
- Joiner, mover, and leaver workflows across the identity stack and enterprise SaaS portfolio supporting 650+ employees
- Collaboration
- IT, security, and application owners
- Result
- Replaced a paid lifecycle appliance with owned automation that made provisioning and deprovisioning consistent, auditable, and easier to adapt
Evidence Included
Sanitized lifecycle flow
The architecture below preserves the control-plane and downstream provisioning pattern while omitting internal systems and identifiers.
Control narrative
The approach documents how lifecycle states, identity controls, SaaS actions, exception handling, and audit evidence fit together.
Operational outcome
The result and metrics distinguish the production scope from a prototype: 650+ employees and a paid appliance replaced.
650+
Employees in operating scope
Replaced in-house
Paid lifecycle appliance
Consistent + auditable
Provisioning model
The Problem
Employee onboarding and offboarding crossed the identity directory and a broad SaaS portfolio. A paid lifecycle appliance handled part of that work, but the organization still needed stronger ownership, clearer auditability, and automation that could match its real access rules without adding more manual tickets.
My Approach
- Mapped the lifecycle into explicit joiner, mover, and leaver states so access changes follow one repeatable control path instead of a collection of one-off administrator actions.
- Built an in-house automation layer around the identity and SaaS APIs already in use, covering account provisioning, group and role changes, license assignment and reclamation, and deprovisioning.
- Used the identity platforms as the control plane for downstream access, keeping authentication, group membership, and application provisioning aligned as an employee's role changed.
- Made each run observable and auditable so operators could verify what changed, investigate exceptions, and produce consistent evidence for ISO 27001 controls.
- Documented the operating model and exception path so the platform could be supported as a production service rather than depending on one-off script knowledge.
Architecture Diagram
Employee Lifecycle Control Flow
Approved Change
Lifecycle Event
Joiner / mover / leaver
Automation
Workflow Engine
Validation + orchestration
Identity
Okta
SSO + app provisioning
Entra ID
Directory + groups
Access
SaaS Portfolio
Accounts, roles, licenses
Assurance
Audit Trail
Results + exceptions
Sanitized reconstruction of the lifecycle pattern; internal application names, rules, and identifiers are intentionally omitted.
Stack
Identity
Automation
Operations & Governance
Skills Demonstrated
- ▸Identity lifecycle architecture across directories and SaaS applications
- ▸API-driven provisioning, access changes, and deprovisioning
- ▸Replacing vendor dependency with maintainable in-house automation
- ▸Designing identity operations for auditability and repeatable control execution
- ▸Owning a production identity service that supports 650+ employees