Most "modern" identity tools quietly assume your critical apps all support SCIM.

Look at your actual stack: Notion, Figma, Linear, Miro, niche SaaS, some on-prem, a few OT systems. Only a sliver is truly automatable.

This guide details-step by step-how to automate the full Joiner-Mover-Leaver (JML) lifecycle, including apps without SCIM or APIs. Real solutions, real gaps closed. Focus:

  • Identity automation that covers your whole stack
  • Provisioning and deprovisioning without firefighting
  • Identity lifecycle management that solves the "mover" headache
  • App provisioning that dodges the SCIM tax
  • SaaS security that's more than governance theater

You'll leave with a sharp JML project plan for lean IT-and a clear sense of where tech like Iden fits in.

What you need before you start

No IAM empire required. Just the essentials:

  • SSO in place (e.g., Okta, Entra) as your authentication backbone
  • HRIS or people-data source (Workday, BambooHR, Personio, payroll)
  • Rough app list (SaaS, on-prem, internal, OT/ICS)
  • At least one ITSM/ticket channel (Jira, ServiceNow, Slack)
  • Executive buy-in: JML automation is a priority, not a wishlist item

That's plenty to get started.

Step 1 - Map your real JML lifecycle

Skip idealized diagrams. Map what happens today.

  1. List identity types:
    • Employees
    • Contractors/vendors
    • External partners
    • Service accounts, bots, AI agents ("new species of identities")
  2. Document real J, M, L flows:
    • Joiner: How does HR notify IT? Where do access requests live? When are accounts created-before or after day one?
    • Mover: How do you find out about role or manager changes? Who actually revokes old access? How often?
    • Leaver: What triggers offboarding? Who checks the long tail apps?
  3. Note delays and failure points:
    • Missing requests/tickets
    • "Temporary access" that never goes away
    • Former staff still hanging out in your Slack or GitHub months later

Common mistake
Teams over-model roles before mapping their actual process. Nail reality first; model later.

Output: a concise one-page JML flowchart, with identity types and tools.

Step 2 - Inventory apps, expose the SCIM gap

View your stack through a governance lens, not just licensing.

  1. Build a simple inventory (yes, a spreadsheet works):
    • App name
    • Owner
    • User count
    • SSO? (Y/N)
    • SCIM? (Y/N)
    • Usable API? (Y/N)
    • Criticality
  2. Classify integration capability:
    • Tier A - SCIM via SSO
    • Tier B - API but no SCIM
    • Tier C - No SCIM, weak/no API

Most teams discover just 20-40% of apps are SCIM-enabled; the rest stay stuck with tickets and spreadsheets

About 60% of SaaS apps lack native SCIM support-leaving most "modern IGA" tools with partial coverage at best.

  1. Identify long-tail risk:
    • Apps with payment, code, or production data-not SCIM integrated
    • Apps used by temps/contractors
    • Admins outside IT (Marketing, RevOps, OT)

Tip
Skip chasing 100% on day one. Prioritize non-SCIM apps handling sensitive, production, or revenue data-they're the highest risk.

Output: a tiered app list that makes gaps impossible to deny.

Step 3 - Design policy-driven access

Automate only after defining who gets what, when, why.

  1. Define access "bundles" by attributes-not title:

    • Department/cost center
    • Location/entity
    • Employment type (FTE, contractor, partner)
    • Seniority/criticality

  2. Write plain-language JML policies:

    • Joiner: "All new EMEA engineers get GitHub, Jira, Notion, Slack, and specific channels, day one."
    • Mover: "When sales moves to CS, revoke Salesforce, retain Slack, add Zendesk."
    • Leaver: "HR triggers offboarding, all accounts-including long-tail-deprovisioned in 60 seconds."

  3. Add SoD (Segregation of Duties) guardrails:

    • "No user approves their own finance requests."
    • "No engineer gets persistent production write; just-in-time only."

  4. Decide approval points:

    • Birthright access (auto)
    • Sensitive (manager/data owner)
    • Emergency/break-glass (short-lived, always reviewed)

Capture these in a document security, IT, and HR align on.

Step 4 - Baseline automation for SCIM apps

Uncontroversial but rarely complete.

  1. Wire HRIS -> SSO -> SCIM apps:

    • HRIS event creates SSO identity
    • SSO assigns groups/attributes
    • SCIM provisions/deprovisions

  2. Use policy-mirrored groups:

    • e.g., dept=engineering, role=support, avoiding app-specific groups

  3. Automate leavers via HR termination -> SSO deactivation -> SCIM offboarding

Nice baseline for 20-40% of your stack. Now, let's fix the real challenge-the other 60-80%.

Common mistake
Doing only SCIM flagship apps and calling it "done." SCIM is table stakes, not complete governance.

Step 5 - Onboard non-SCIM/no-API apps via universal connectors

Most SSO-linked tools stop here. Universal connectors pick up the slack.

Why scripts/RPA fall short

Scripting one app is doable; scripting 40:

  • Brittle: Breaks with every UI or API tweak
  • Blocked: MFA, CAPTCHA, odd workflows
  • Chaotic: Different logs, error handling, and versioning

Auditors hate it. Teams tire of it. Security gets holes.

What "universal connectors" mean

A universal connector platform abstracts per-app quirks, offering policy-driven provisioning/modification/deprovisioning-even for apps without SCIM or a usable API.

With Iden:

  • Any app: SCIM, REST, or none using proprietary connectors
  • Fine-grained control: Down to Slack channels, GitHub repos, Notion pages, Jira projects
  • Zero engineering/upkeep: IT writes policy; platform handles maintenance, healing

Iden's catalog covers 175+ apps (Notion, Slack, Figma, Linear, etc.), plus rapid delivery for new connectors

More about Iden

How to onboard a non-SCIM app (example: Notion)

  1. Connect the app: Admin login, connector discovers users, groups, workspaces
  2. Map attributes/entitlements: Link HRIS/SSO attributes to Notion workspaces/groups, set onboarding templates
  3. Bind to JML events:
    • Joiner: HRIS -> create Notion, assign workspace, share KB
    • Mover: Reassign workspace, revoke old team pages
    • Leaver: Remove access, transfer ownership, reclaim license
  4. Test, then go live: Start "shadow" mode, verify changes, switch to active

Repeat for other Tier B/C apps. Prove it with the 5-10 biggest pains first.

Tip
Start with non-SCIM apps that drive tickets, are contractor-heavy, or hold sensitive data.

Step 6 - Solve the mover problem with event-driven, agentic workflows

Joiners/leavers are simple; movers are messy. This is where real governance wins or loses.

Risk pattern:

  • Access added instantly.
  • Old access never removed.
  • Staff who "move" build access sprawl overtime.

How to handle it:

  1. Multiple event sources: HRIS, org chart, ITSM tickets
  2. Explicit mover policies:
    • "Department X->Y: Remove bundle X, apply Y"
    • "New manager: Add approvals, not new data access"
  3. Automated before/after diffs: Breadcrumbing actual entitlements-approvers adjust exceptions only
  4. Agentic (AI-driven) workflows do cleanup: Continuously check entitlements vs. policy, flag/remove drift, human-in-the-loop only for outliers

Transform movers from a blindspot to a governed event.

Step 7 - Close the leaver gap and reclaim SaaS licenses

Leavers are where SaaS security often crumbles.

Audit stories routinely reveal tens of unknown, orphaned accounts on first automated offboarding pass

How to close it:

  1. Pick one offboarding trigger: HRIS "end date" or urgent security flag
  2. Automate leaver actions:
    • SSO disabled
    • All app accounts (SCIM & universal connector) deprovisioned
    • Shared access and ownership (Slack, Notion, GitHub) revoked/transferred
    • Licenses reclaimed
  3. Verify it happened:
    • Immutable audit log: Who, when, how
    • Flag failures for manual follow-up

Iden-driven deprovisioning eliminates partial offboards across SCIM+non-SCIM apps, leveraging HR events and universal connectors

Automated license reclamation plus bypassing SCIM-tax upgrades cut SaaS spend by up to 30%

Common mistake
Treating offboarding as "disable Okta and hope." SSO is merely the front door; long-tail apps often stay wide open.

Step 8 - Build for continuous governance, not point-in-time scripts

Static, quarterly CSV exports don't protect against continuous attacks.

Upgrade to continuous governance:

  1. Automate user access reviews (UARs): Snapshots by user/app/entitlement, with high-risk access pre-flagged; revokes automated

Automated UARs/evidence save lean IT ~120h/quarter on SOC 2/ISO 27001 prep

  1. Keep immutable audit logs: Every change, with actor, context, and reason
  2. Continuously reconcile policy vs. reality:
    • Agentic workflows detect/remediate entitlement drift in real time

This is where AI-driven agentic workflows take over-review, evidence-collection, deprovisioning, all in autonomous cycles.

Step 9 - Measure impact and iterate

If it doesn't move real numbers, it's just theater.

Track:

  • Manual access tickets per week
    Iden customers see 80%+ fewer tickets in 60 days after automating SCIM+non-SCIM apps
  • Time-to-onboard: From HRIS creation to access granted
  • Time-to-offboard: From HR termination to confirmed revocation
  • Orphaned accounts per audit
  • "SCIM tax" spend avoided (vs. connector licensing)

A 320-person org with a 2-person IT team cut tickets by 78% and reclaimed >50% of IT time using universal JML workflows

Use these metrics to:

  • Prove automation's value
  • Justify expanding coverage
  • Push back on overpriced SCIM-only enterprise plans

Bringing it all together: Beyond SCIM

Going beyond SCIM isn't a mantra. It means:

  • SSO + HRIS for identity backbone
  • SCIM for covered apps
  • Universal connectors for every other app
  • Policy-driven, agentic workflows for continuous reality alignment
  • Immutable logs & automated reviews for airtight compliance

Teams running this model cut 80% of tickets, save 120+ hours on compliance per quarter, and drop SaaS spend by up to 30%-with lean IT, no IAM army required

If your tools only automate SCIM, you're running identity theater. Risk, tickets, and cost hide in the 60-80% left out.

Next steps

Fast-growing SaaS org, lean IT? Here's your move:

  • Pick 5-10 high-impact non-SCIM apps (Notion, Figma, Linear, finance tools)
  • Draft clear JML and mover policies
  • Trial a universal connector platform like Iden
  • Measure tickets, access timing, and orphaned accounts before and after

Skip 12-month projects. Run one focused automation pilot. Prove governance across your whole stack-zero SCIM tax, no legacy baggage.

Stop being the human API. Automate every joiner, mover, leaver-across every app, not just SCIM-checked boxes.

FAQ

How is automating JML for non-SCIM apps different from just using SCIM?

SCIM's great-where it exists. But it usually covers only 20-40% of your stack. The rest-often the apps holding your most sensitive data-demand manual ticketing and spreadsheets.

Universal connectors let you build one policy engine for all apps, handling account and fine-grained rights changes-even for apps with no native provisioning.

Why not just use RPA to click through UIs for non-SCIM apps?

RPA works for a single workflow, but breaks on:

  • UI updates
  • MFA/CAPTCHA
  • Entitlement complexity
  • Lack of audit trails

Universal connectors bake in modeling, error handling, logging, and drift detection-without building 40 brittle bots.

Do I need a full IGA platform if I already have Okta or Entra?

Okta and Entra handle authentication. They offer some lifecycle, but only where SCIM or APIs exist. They miss deep permissioning and non-SCIM/legacy tools. Identity governance platforms (like Iden) fill that gap: complete, fine-grained, continuous governance-no SCIM tax, no gaps.

How does this help with audits like SOC 2 or ISO 27001?

Auditors want two answers: "Who had access to what, when?" and "Can you prove you removed access when people left or changed roles?"

Universal JML plus immutable logs means:

  • Every change is documented-actor, reason, context
  • UARs are auto-generated, routed, and certified
  • Audit evidence is turnkey-not a scramble for screenshots

Contractors, vendors, bots-handled?

These often bypass standard HR flows, making them prime candidates for orphaning. Treat as first-class in your design:

  • Attribute-, contract-, and project-based lifecycle controls
  • Time-bound access, auto-expiry
  • Governed by the same policies and connectors as staff

Joiner-mover-leaver applies-just swap HR triggers for contract or system events.

Book a call