By Yair Knijn · June 4, 2025
The new hire who couldn't log in for three days: when joiner provisioning is a manual chain of emails
The operations director treats onboarding as HR's problem. HR owns the offer letter, the contract, the first-day calendar invite, so surely HR owns the rest. What HR actually owns is a row in a spreadsheet and an email to IT that reads "new starter Monday, please set up." Everything after that arrow is an informal chain: IT emails the AD admin, the AD admin waits on the line-manager to say which group, the line-manager is on holiday, and the laptop is provisioned but the account that signs into it does not exist yet.
That is how a hire you are paying from day one sits idle until day three. The director who only audits leavers never sees it, because nobody opens a ticket for a person who isn't in the system yet.
The joiner-mover-leaver flow and why the mover is the most dangerous
Identity people talk about the lifecycle as joiner-mover-leaver. Most directors fixate on the leaver, because a departed employee with live credentials is the thing auditors ask about and the thing that ends up in a breach report. Fair. But the mover is where the real damage compounds. When someone changes teams, the new access gets added and the old access almost never gets removed, because removal requires someone to know what to remove and to care enough to do it. Three internal moves later you have a person holding the union of every role they have ever touched.
The joiner is not exempt from this rot. It is where the rot starts. A clean joiner sets the baseline; a sloppy one seeds the permission creep the mover will later multiply.
'Clone this user's access': how permission creep starts on day one
Here is the line that does the damage: "just give them the same access as Sarah." Sarah has been here six years. Sarah has a mover history. Copying Sarah hands a first-day analyst a Domain Admins nesting Sarah picked up during a 2022 migration that nobody ever unwound. The new hire now violates least privilege on day one, and NIST SP 800-53 has had a control for exactly this since long before your last audit: AC-6 says grant only the access required to perform the job. "Clone Sarah" is the opposite of AC-6 wearing a convenience costume.
It survives because it is fast and because no individual decision feels reckless. One copied account is invisible. A year of them is a flat permission model where everyone can reach everything and the next pentest writes itself.
The cost of a three-day idle start, multiplied across every hire
Run the arithmetic the director never runs. A new hire who cannot log in is fully loaded salary against zero output, plus the manager's time spent chasing IT, plus the buddy who stops their own work to share a screen so the newcomer can at least read something. Call it two to three days per hire. Multiply by every hire this year, then by the quiet reputational tax: the new person's first impression of the company is that it cannot let them start.
- Salary burned while the account does not exist.
- Manager and buddy hours spent on workarounds.
- Over-broad access granted in haste to "just get them working."
- The cleanup project, eighteen months later, to find out who can reach what.
Role-based access templates wired into the onboarding ticket
The fix is not another reminder email. It is defining access by role, not by colleague, and binding that definition to the onboarding ticket itself. A "junior support analyst" template lists the exact groups, apps, and entitlements that role needs and nothing it doesn't. The hire's role is set when the ticket opens, the template provisions against it, and the line-manager approves an explicit list instead of waving through a clone. Movers re-template instead of accreting. Leavers are clean because the grant was scoped in the first place.
OpsDesk treats the joiner as a tracked work item, not a favour. The onboarding ticket carries a role and a checklist into the customer workspace, access is requested against a template rather than a name, and the audit trail shows the director who approved what and when the new starter could actually log in. The day-three idle hire and the accidental Domain Admins both stop being invisible. See how the joiner-mover-leaver flow is wired into the ticket.