Related articles
Mover is the silent gap in identity programs — people accumulate old-role access and miss new-role access until someone files a ticket.
Re-running joiner against a new template without removing old access leaves stale entitlements and weak audit narratives.
Each identity-type combination has its own configuration. Status changes (FT ↔ PT ↔ contractor) trigger bundle re-resolution with appropriate scope changes. Subsidiary transfers can route through a different approval path. The mover workflow accommodates the cases the HRIS distinguishes; admin-initiated manual designation handles informal or HRIS-lagged cases (D-30).
Because ADD and REMOVE timing are independent. ADD typically runs immediately so the user has new-role access on day one (org-wide ADD timing); REMOVE runs after a configurable grace period so the handoff is clean (per-app override under auto-revoke), or immediately on the approver's per-role decision under manual review mode. Both happen inside one workflow with one approval and one audit trail.
ADD timing is org-wide (e.g., "new access fires immediately on approval"). REMOVE timing supports per-application overrides under auto-revoke mode — sensitive apps revoke immediately, standard apps follow a 7-day grace, knowledge tools may extend longer. Manual review mode is the alternative: the approver decides retain or revoke per role in the same approval screen as the ADD set, and revocations execute immediately on approval.
Empty-diff suppression. After computing ADD / Retain / REMOVE, if both ADD and REMOVE are empty — currently-held access already matches the bundles — Mover doesn't fire an approval. The detection is logged in audit ("mover detected, no access changes recommended"); the approver isn't burdened. Common case: a manager change when no matched bundle's filter depends on manager.
Cold-start tier-2/3 waterfall fires (D-30). Tier 2: Mover builds an ad-hoc peer group from the workflow's trigger attributes, runs the Balanced preset (30% peer coverage / 60-day usage), and routes to the configured approver. Tier 3: when no peers exist, Mover escalates to IT admin for manual access definition. Cold-start always requires a human; the path is bounded.
Multi-match union, consistent with Joiner. Each matched bundle independently evaluates roles against its own thresholds. ADD = any role any matched bundle recommends that the user doesn't hold. Retain = any currently-held role any matched bundle would recommend. REMOVE = any currently-held role no matched bundle recommends — either absent from every bundle, or failing the threshold in every bundle that contains it.
It resolves the new role against your existing access bundles using each bundle's filter expression. Multi-match union semantics apply: each matched bundle independently evaluates roles against its own thresholds (peer-group percent, dormancy), and Mover unions the outputs into ADD / Retain / REMOVE. No fresh peer-grouping per Mover — the bundles you already maintain drive the recommendation.
HRIS polled every 2 hours. Admin selects up to 3 employee attributes per workflow as trigger attributes — title, department, manager, location, or employment status. A change in any selected attribute fires a potential mover event; multi-attribute changes for the same employee within a configurable 24-hour correlation window collapse into one mover event. Re-orgs and promotions produce one workflow, not three. Manual designation available for HRIS lag (D-30).
