Sanity Check
Posted by quietlydaphne@reddit | sysadmin | View on Reddit | 24 comments
Trying to sanity check something.
How are people actually handling user lifecycle in practice these days? Onboarding/offboarding, moving users between groups/OUs, etc.
I know there are tools for this (Okta, BetterCloud, scripts, etc.), but I’m more curious what it looks like in reality.
Does it actually end up being clean and automated, or is it still a mix of:
- manual changes
- partial scripts
- tickets/spreadsheets to track things
Especially once people start changing roles or you’ve got a lot of churn.
Feels like this should be “solved” by now, but maybe I’m wrong?
WestOpening1350@reddit
It's definitely not fully solved, and most of us run a workflow held together by manual effort and luck. You usually have a clean path where an HRIS feeds Entra ID or Okta for the core apps, but everything breaks down once you hit niche tools or legacy portals that do not support SCIM. Role changes are also a nightmare for permission creep since old groups rarely get removed. Other than that, Ive seen some clever solutions that use a browser level layer to wrap SSO and lifecycle controls around apps that don't natively support them. Unless you have a dedicated IAM team, you're doing fine just trying to automate what you can and manually managing the rest.
WestOpening1350@reddit
But also -not sure if this thread is a way to sell something, since this account is new and only has this thread. Might be a bit sketch
Altusbc@reddit
Op is a spammer and probably doing research for the next vibe coded AI slop app. Check his post history.
morilythari@reddit
Looks like they purged it
Curious201@reddit
for offboarding, the dangerous part is usually not the account disable itself, it is all the places nobody remembers to remove access from. hr can trigger the process, but they should not be the only control. i would keep a small checklist tied to the role: email/m365 or google workspace, vpn, password manager, payroll/hr system, crm, shared drives, accounting, physical keys/badges, phone number, domain registrar, social media, bank access, and any vendor portals. the best version is a ticket created by hr with a manager sign-off, then IT works through the access list and records what was removed. if you are relying on memory or “tell IT when someone leaves,” it will fail sooner or later, especially with contractors and people who only used one weird SaaS twice a year.
That_Lemon9463@reddit
honest answer: not nearly as solved as you'd think.
joiner/leaver is fine in most shops with HRIS as source of truth into entra/okta via SCIM. workday or BambooHR fires a hire date, idp provisions account, group memberships drive app access via SCIM/SAML. termination flips on the same path, license released, mailbox to shared, drive transferred per retention policy.
mover is where everyone falls over. role change in HRIS doesn't deprovision old access because entitlements get accumulated by ticket over time, not tied to job code. you end up with people who have engineering AD groups + finance shared drives + the old support tier-2 entitlements they got two years ago. you need an actual access-recertification cycle (quarterly review of entitlements per user) or you get permission creep until someone runs a discovery and panics.
other gap nobody talks about: service accounts, shared mailboxes, vendor accounts. not in HRIS, often no owner field, survive forever past the human who created them. tag everything with an owner attribute on creation or you'll find ghost accounts during the next M365 audit.
tooling: entra lifecycle workflows + access reviews if you're MS-shop is "good enough" for SMB. above \~1k seats people actually deploy SailPoint/Saviynt and the JML workflow is custom-coded around the HRIS attributes. okta lifecycle management + okta workflows for everything else. nothing is plug-and-play, all of it needs \~6 months of attribute mapping to actually work.
Crazy-Rest5026@reddit
Usually it’s offboarding. HR communication with IT sucks. Always has always will.
As well as new user onboarding SOP. Making sure correct distribution groups ect. Always been a mess
Magic_Neil@reddit
HR: he we fired a pile of people today
IT: ok that sucks, please make sure the supervisors enter termination request on the desk so they get processed
HR: that’s ok, you can do it
quietlydaphne@reddit (OP)
Yeah that seems to come up a lot.
On the onboarding side, is it mostly figuring out which groups people should be in, or just keeping it consistent once they’re set up?
LeidaStars@reddit
In reality it’s still pretty mixed. Most orgs have some automation for onboarding/offboarding, but role changes and edge cases still end up manual or ticket-driven. Identity tools help a lot, but keeping everything clean across apps and groups is harder than it sounds.
sysadminbj@reddit
Ours is kind of messy.
quietlydaphne@reddit (OP)
What part tends to get messy for you? Is it more the initial setup or when people start changing roles / leaving?
OneSeaworthiness7768@reddit
This is the “find a real problem to solve” step of the SaaS vibecoder handbook.
sysadminbj@reddit
It's mostly IAM based. We don't really have RBAC fully implemented. There's a lot of birthright stuff, but still a fair amount of "It's two weeks in and we just discovered that new hire needs access to $system..."
quietlydaphne@reddit (OP)
Yeah that tracks tbh.
Do you feel like it’s more a “roles aren’t really defined” problem or just stuff changing too often?
OneSeaworthiness7768@reddit
In what way is it not “solved”? This question is being asked here multiple times a week lately. Mostly from people trying to make/sell their own solution. So if you’re not one of those, what issue are you actually having that prompted you to ask?
plehmkuhl@reddit
Since IT and HR rarely see eye to eye, we have them send us a ticket notification once a new candidate has cleared their background checks. We then submit a service request for onboarding that kicks off a workflow in FreshService. This does almost all of the setup for a new employee - including addition to department/office and role security groups. In our form it also includes a section for non-standard software. When selected, it binds to a security group that leverages Company Portal/Intune to make that software available to the end user. Combine this with autopilot and a brief setup phase for the technician and onboards are quick and efficient.
Offboarding - We expose a service request item to our HR department that basically does the onboarding, but in reverse. There are a few other things we have in there for consideration, I.e Removing from all security groups, setting an out of office message, providing full email access to their supervisor, etc.
Changes - Everything requires a ticket. Most changes are still manual for us, but not all. We will automate all of these eventually.
HumbleSpend8716@reddit
you submit a request manually for every employee, you are not the authority you think you are on this topic
plehmkuhl@reddit
Thank you for your contribution to this post.
Opposite_Bag_7434@reddit
Ours was very messy now it is much better but there is still a ton of manual work. What we do have is process and some automation that works pretty well.
I’ve mentioned this recently. We base ours on user attributes that are tied to the department and role. We do have some manually assigned group memberships but quite a bit is now handled with dynamic groups.
Dynamic groups work well when based on these attributes when roles change or even when individuals move to a different department.
It doesn’t work well when HR decides to change a bunch of titles, makes new titles or when departments change names or new departments are added. This seems to be a constant battle.
Shortly accounting is getting there own bright shiny new toy that we are spending a ton of money on. They are requiring some stability in all of this naming, and new attributes set within our HRIS, so maybe we will capitalize on this as well.
HumbleSpend8716@reddit
your shitty solution wont be better than an IGA product. stop slop advertising. mods pls
exercisetofitality@reddit
When the user reaches end of life we call John Wick.
Secret_Account07@reddit
Automation
It removes HR or managers from not notifying or on boarding. Legit can’t hire someone at our org without following the process
quietlydaphne@reddit (OP)
That’s actually pretty interesting.
Does that still hold up once people start changing roles or teams, or do things get messy again there?