Gamut
Recruiting & HR

Access / JML Provisioning Agent

Automate joiner, mover, and leaver access across your IdP, HRIS, MDM, and ticketing systems.

Updated

Connects with

OktaOktaWorkdayWorkdayJamfJamfSlackSlack
Download template

The problem it solves

Manual joiner-mover-leaver provisioning is slow, error-prone, and leaves orphaned accounts that fail audits. This agent listens for lifecycle events from your HRIS and orchestrates account, device, and access changes across every connected system, so new hires are ready on day one and leavers are fully cut off with an auditable trail.

Who it's for

  • IT operations and helpdesk teams running provisioning by hand
  • Security and GRC teams responsible for access reviews and audits
  • People Ops / HR teams managing the employee lifecycle
  • Growing companies without a dedicated IAM platform
  • MSPs handling onboarding and offboarding for multiple clients

What it does

  1. 1

    Detect lifecycle events

    Listen for or poll your HRIS for new hire, role-change, and termination events and route each to the right workflow.

  2. 2

    Provision identities

    Create or update accounts in your IdP and assign group memberships and application access based on role and department.

  3. 3

    Enroll devices

    Trigger device enrollment in your MDM for joiners so equipment is ready before the start date.

  4. 4

    Adjust access for movers

    Update group memberships and application entitlements to match a changed role, removing access that no longer applies.

  5. 5

    Open and track tickets

    Create a ticket for each event in your IT service desk and track manual steps like hardware shipping and badge access to completion.

  6. 6

    Offboard leavers

    Disable accounts, revoke access, and initiate remote device wipe or unenrollment so no access lingers after departure.

  7. 7

    Run access-review campaigns

    On a set cadence, send managers certification prompts via Slack and flag or revoke uncertified access once the window closes.

Key benefits

  • New hires are provisioned and ready on their first day
  • Leavers are fully deprovisioned with no orphaned accounts
  • Clean, auditable trail for every access change and review
  • Fewer manual provisioning errors and helpdesk tickets
  • Role changes reconciled automatically to least-privilege access
  • Periodic access certifications that keep audits on track

Sample use cases

A new engineer is marked as hired in Workday.

The agent creates their Okta account, assigns engineering groups and apps, enrolls their laptop in Jamf, and opens a Jira ticket tracking hardware shipping.

An employee transfers from sales to customer success.

The agent updates their IdP group memberships and application access to match the new role and removes entitlements tied to the old one.

An employee is terminated in Rippling.

The agent disables their accounts, revokes all access, triggers a remote wipe in Intune, and logs every step for the offboarding audit.

A quarterly access review comes due.

The agent generates certification prompts, sends managers Slack reminders, and revokes any access left uncertified after the review window closes.

Key integrations

  • Okta

    Identity provider for account creation, group membership, and application access (Azure AD or Google Workspace also supported).

  • Workday

    HRIS source for joiner, mover, and leaver events (Rippling or BambooHR also supported).

  • Jamf

    MDM for device enrollment on joiners and remote wipe on leavers (Microsoft Intune also supported).

  • Jira Service Management

    IT service desk for creating and tracking provisioning tickets (ServiceNow also supported).

  • Slack

    Notification channel for access-review certification prompts and IT/security alerts.

Most teams stitch joiner-mover-leaver provisioning together with checklists, shared inboxes, and a handful of admin consoles. The gaps show up as new hires waiting on accounts and, more dangerously, as leavers who keep access for weeks after they are gone. This agent closes those gaps by treating every HRIS lifecycle event as a single trigger that fans out to identity, device, and ticketing systems.

Because all company-specific context is added during onboarding rather than baked in, the same agent works for a 50-person startup or a regulated enterprise. It adapts to whichever IdP, HRIS, MDM, and ticketing stack you already run, so you get consistent, auditable access management without committing to a heavyweight identity and access management as a service platform.

Getting started

  1. Import the workspaceDrag the template zip into the Gamut agent import dialog to load the agent into your workspace.
  2. Run the onboarding skillA setup session starts automatically to capture your role, company, the systems to connect, and your notification channel, cadence, and thresholds.
  3. Give it a first taskPoint it at a recent hire or termination and let it run the provisioning workflow end to end.

Frequently asked questions

What are identity access management solutions and how does this agent fit?

Identity and access management solutions control who can access which systems across the employee lifecycle. This agent automates that work by provisioning joiners, adjusting movers, and deprovisioning leavers across your existing tools rather than replacing them.

Does the agent change access without approval?

You set the boundaries during onboarding. It can run provisioning automatically from HRIS events, while access-review revocations route through manager certification, so sensitive changes get sign-off before anything is revoked.

Which systems does it work with?

It connects to your IdP (Okta, Azure AD, or Google Workspace), HRIS (Rippling, BambooHR, or Workday), MDM (Jamf or Intune), ticketing (Jira or ServiceNow), and Slack. You choose which to connect during setup.

How is this different from doing JML provisioning manually or with generic tools?

Manual provisioning misses steps and leaves orphaned accounts that fail audits. Unlike generic identity access management tools, this agent orchestrates identity, device, ticketing, and access reviews together from a single HRIS trigger, with a complete audit trail.

Can it handle access reviews and certifications?

Yes. On a configurable cadence it generates access-review reports, sends managers certification prompts via Slack or email, and flags or revokes uncertified access after the review window closes.

How much does it cost?

The template itself is free to import and run on Gamut. You only need accounts for the systems you connect, which most teams already have as part of their existing identity and access management software.