Identity Lifecycle Management: HR Onboarding and HR Offboarding

Pre-requisites

1. Jira and JSM admin access You need admin permissions in both Jira and Jira Service Management to create and save rules.
2. A connected application At least one application must already be connected to the Identity Governance app via App Connections. Confirm this before creating a rule.
3. A JSM project and request type set up for onboarding or offboarding requests You need an existing JSM project with a dedicated request type for each workflow. One request type can only be used by one automation rule, so make sure the request type you plan to use is not already assigned to another rule.
4. Your Approved and Rejected workflow status names Make note of the exact JSM workflow status names for approval and rejection in your project. You will need them when configuring the Access Decision Mapping block.
5. Custom fields created and added to the request type form The rule builder only shows fields that are already on the request type form. Before building the rule, make sure the following fields exist on your form. For HR Onboarding:
   • A text field for the new employee's first name
   • A text field for the new employee's last name
   • A text field for the new employee's work email
   • A single-select field for Access Package (optional, but at least one of Access Package or Downstream Provisioning must be mapped)
   • A multi-select field for Downstream Provisioning (optional, but at least one of Access Package or Downstream Provisioning must be mapped)
6. For HR Offboarding:
   • A multi-select field for Target Applications

Installation

• Log in to your Jira instance and go to Apps in the top navigation bar.
• Select Explore more apps and search for Identity Governance, Auditing and Access Control via JSM.
• Click Try it free to start a trial, then follow the prompts to install the app.
• Once installed, open the app from Apps in the top navigation bar. You will see the app sidebar with Dashboard, App Connections, Automation, Role Catalog, and Audit Logs.

1: Connect your application

Before creating a rule, confirm your target application is connected.

• In the app sidebar, click App Connections.
• Verify your application is listed and its status shows as connected.
• If it is not connected yet, add it here before continuing.

2: Create the rule

• Click Create Rule in the top right corner.

• In the app sidebar, click Identity Lifecycle Management.

• On the use case screen, click HR Onboarding or HR Offboarding depending on which rule you are setting up.

3: Configure the Project block

The Project block is the trigger for your rule. It tells the app which JSM project and request type to watch.

• In the rule builder, click the Project block to open its settings panel on the right.
• Under Project, select your JSM project from the dropdown.
• Under Request Type, select the request type designated for onboarding or offboarding requests.

Once both are selected, the field mapping options in the next block will become available. This block must be completed before any other block will load its fields correctly.

4: Configure Access Definition and Mapping

This block maps the fields on your JSM request form to the identity attributes the app needs to provision or revoke access. This is the only block where Onboarding and Offboarding differ.

• Click the Access Definition and Mapping block to open its settings panel.

The Mapping Preview at the bottom of the panel shows which fields are mapped and which are still missing. The rule cannot be saved until all required fields are mapped.

If you are setting up HR Onboarding:

Map the three required fields first. For each one, select the corresponding JSM form field from the dropdown next to it.

• First Name: Select the JSM field containing the new employee's first name.
• Last Name: Select the JSM field containing the new employee's last name.
• Work Email: Select the JSM field containing the new employee's work email address.

Then map at least one of the following. You must map one or both for the rule to save successfully.

• Access Package: Select the single-select JSM field for the access package.
• Downstream Provisioning: Select the multi-select JSM field for downstream provisioning.

If you are setting up HR Offboarding:

• Target Applications: Select the multi-select JSM field for target applications.

5: Configure the Approval block

• Click the Approval block to open its settings panel.
• Under Assignee Users Field, select the field that defines who the approver is for requests of this type.
• Under Add Users, search for and add any specific Jira users who should be able to approve requests.
• If you want only the ticket assignee to be able to initiate the access request, toggle Only Assignee can Initiate on.

6: Configure Access Decision Mapping

This block tells the app what to do when a request is approved or rejected.

• Click the Access Decision Mapping block to open its settings panel.
• Under Approval Status (JSM), select the JSM workflow status that means the request has been approved. When a ticket moves to this status, the app will execute provisioning or deprovisioning.
• Under Rejection Status (JSM), select the JSM workflow status that means the request has been rejected. When a ticket moves to this status, no action is taken and the requester is notified via a comment on the ticket.

7: Save the rule

• Click Save Rule in the top-right corner.

Test the rule

Before going live, run a quick test.

• Submit a test request through the JSM portal.
• Move the ticket to your approved status.
• For Onboarding: confirm the new employee has been provisioned in the expected applications.
• For Offboarding: confirm access has been revoked in the expected applications.
• Check that a comment was posted on the ticket confirming the outcome.