Workforce Lifecycle Agent (Joiner-Mover-Leaver)

1📋

Overview & business value

This agent drives joiner, mover and leaver events end to end across HR, global payroll, IT identity and resourcing. From a Workday status change it creates identities, grants access by role template, enrols global payroll, assigns resources, and on departure de-provisions cleanly — applying least privilege throughout. It reads and reasons freely; every grant, revoke, payroll or provisioning action is an Action Ticket carrying a MOP.

Problem

A new hire's access lives in five systems and arrives days late. A leaver's access lingers — the single biggest insider-risk gap. Movers accumulate entitlements that quietly create segregation-of-duties conflicts no one notices until an audit.

Solution approach

Event-driven on Workday. For standard roles the agent provisions the exact access template; for non-standard or senior access and any SoD conflict it reasons and routes to a human. Leavers are de-provisioned across Entra, AD and Okta with payroll final settlement — all as reversible, audited tickets.

Core capabilities

Identity creation (Entra + Okta) on hire
Access by role template (least privilege)
Global payroll enrolment (Neeyamo)
Resource assignment via PMO request
Mover access-delta computation
Segregation-of-duties detection
Leaver de-provisioning across Entra/AD/Okta
Quarterly recertification with auto-revoke

How it helps

New hires are productive on day one; leavers lose access the same day; movers don't accumulate toxic combinations. Compliance becomes continuous instead of a quarterly fire drill, and every grant has an audit trail.

Illustrative value model — plug in your own figures

J/M/L

Lifecycle events / year

H hrs

IT + HR effort saved / event

↓ risk

Same-day leaver de-provisioning

Value = events × H hours saved × loaded rate, plus reduced audit effort and insider-risk exposure. Placeholders — substitute your baseline.

2📖

The story (for the sales conversation)

The one-liner

"Every joiner, mover and leaver has to be set up — or shut down — across HR, payroll, identity and IT. Miss a step and a new hire sits idle, or a leaver keeps their keys. This agent runs the whole lifecycle, by the book, same day."

😣 Today, without the agent

Priya starts Monday. HR has her in Workday, but IT hasn't seen the ticket yet. Day one she has no laptop login, no Databricks, no Jira. Three tickets and two days later she's half set up. Meanwhile a departing DBA left on Friday — and still has admin access on Tuesday because the offboarding checklist stalled between IT and identity.

Both are normal. The lifecycle lives in handoffs between systems that don't talk.

😌 The same week, with the agent

A manager types: "Onboard Priya Sharma (EMP-7781)."

The agent confirms her in Workday, creates her Entra and Okta identities, grants exactly the Senior Data Engineer template (nothing more), enrols her in India payroll, and requests her project assignment. When the manager asks for production DB write — outside her template — it pauses and asks for approval. And the departing DBA? One instruction disables identity across Entra, AD and Okta, revokes seven apps and triggers final pay, all logged.

"It grants least privilege by default and refuses to exceed the template without a human yes. It catches a create-and-approve conflict before it becomes an audit finding. Speed and control are the same motion here."

The trust point — lead with this for IT security and Compliance

The villain: the gaps

Joiner/mover/leaver spans HR, payroll, identity and IT — and falls between them.

The hero: one lifecycle, one flow

The agent runs all systems together, by role template, with least privilege.

The reason to trust it

Every grant/revoke is a reversible Action Ticket; non-template access and SoD conflicts need a human.

💡How to use this tab: open here for HR/IT leadership, tell the before/after, land the trust line, then show "Sample questions" and "Live scenarios". Keep Tools/Governance for the technical buyer.

3📥

Input data

Source system	Field / entity	Type	Purpose
Workday	Worker (id, job, dept, location, manager, startDate)	object	Source of truth for status + role
Role template	groups, apps, license	matrix	Deterministic access by role
Entra / Okta / AD	user, groups, sessions	object	Identity state for grant / revoke
Neeyamo	country payroll calendar	object	Global payroll enrolment
Planview	project, open role	record	Resource demand for assignment
ServiceNow	onboarding catalog / request	record	Tasks, PMO assignment, risk records

ℹ️Developer note: trigger is a Workday status change (hire / job change / termination) via scheduled workday.wql or event. Workday is cited as the source of truth for status throughout.

4⚙️

Processing flow (tools mapped per step)

ℹ️Each step shows its path and whether it is read-only or a write via Action Ticket.

Detect lifecycle event deterministic

Workday status change. Read the worker, job, dept, location and manager.

workday.wql · SELECT Worker WHERE id=…

Create identity deterministic Action Ticket

Create the Entra user + UPN and the Okta user with MFA enrolment.

entra.graph create_user · okta provisioning (via ticket)

Access by role template deterministic Action Ticket

Resolve the template; add groups, assign apps and license. Least privilege only.

entra.graph add group · okta assign apps (via ticket)

Global payroll enrolment deterministic Action Ticket

Enrol the worker in the right country payroll calendar.

neeyamo.employeeSync enrol (via ticket)

Resource assignment deterministic Action Ticket

Read Planview for the open role; raise a ServiceNow request to the PMO to book the assignment (Planview is read-only here).

planview.query → servicenow.request (via ticket)

Non-standard access non-deterministic human approval

Anything beyond the template is reasoned and routed to the manager with a time-boxed recommendation.

reasoning → approval gate

Mover access delta deterministic + SoD reasoning

Compute old vs new template delta; reason over entitlements for conflicts before granting.

workday.wql + template diff

Leaver de-provisioning deterministic approval if privileged Action Ticket

Disable identity across Entra/AD/Okta, revoke apps, trigger final payroll. Privileged accounts need approval first.

entra/ad/okta containment · neeyamo final (via ticket)

Recertification deterministic Action Ticket

Build per-manager recert packages; auto-revoke on no-response per policy.

workday.raas + identity reads → recert tasks (via ticket)

5🔧

Skills & tools (real connectors)

ℹ️Each tool maps to a real processorKey. Read tools are direct; writes only run inside an Action Ticket.

workday.wqlWQL · OAuth2SOURCE

hr.processors.WorkdayQueryWQL

Reads employee, organisation and position data via Workday Query Language.

{baseUrl}/{tenant}/wql/v1/data?query={wql}

READ · direct

workday.raasRaaSSOURCE

hr.processors.WorkdayRaaSReport

Extracts Workday Reports-as-a-Service (JSON/XML/CSV) for recert and analytics.

{baseUrl}/ccx/service/customreport2/{tenant}/{owner}/{report}

READ · direct

workday.writebackREST / SOAPWRITE

hr.processors.WorkdayWriteback

Writes back worker/workforce data via Workday REST and SOAP. Supports insert / upsert of worker, position or object records.

operation: insert | upsert (worker / position)

WRITE · via Action Ticket

neeyamo.employeeSyncRESTSOURCE

payroll.processors.NeeyamoEmployeeSync

Syncs employees, timesheets, payroll runs and tax-compliance data with Neeyamo Global Payroll; per-country. Used to enrol a worker.

enrol employee · country payroll

WRITE · via Action Ticket

neeyamo.payrollRunRESTSOURCE

payroll.processors.NeeyamoPayrollRun

Triggers and monitors payroll runs (per-country, multi-currency) with async polling. Used for final settlement.

{"operation":"StartPayrollRun|GetRunStatus"}

WRITE · via Action Ticket

entra.graphMS GraphSOURCE

identity.processors.EntraIDGraph

Queries and manages Entra ID via Microsoft Graph: user enrichment (get_user, get_user_groups) and containment (disable). Used to create users and grant groups.

create_user · add_group · disable (via Graph)

READ direct · WRITE via ticket

okta.usersGroupsOkta APISOURCE

identity.processors.OktaUsersAndGroups

Syncs Okta users and groups (list users/groups/members; provisioning). OAuth2 or SSWS token.

users · groups · group members

READ direct · WRITE via ticket

okta.containmentOkta APISOURCE

identity.processors.OktaContainment

Containment ops: suspend, clear sessions, reset factors, expire password, deactivate.

suspend · clear_sessions · deactivate

WRITE · via Action Ticket

ad.query / ad.containmentLDAPSOURCE

identity.processors.ActiveDirectoryQuery / ActiveDirectoryContainment

Query AD by sAMAccountName/UPN; containment: disable/enable, reset password, remove from group, move OU, delete.

disable account · remove group · move OU

READ direct · WRITE via ticket

planview.queryRESTSOURCE

ppm.processors.PlanviewQuery

Reads projects, resources, scenarios and work items across the Planview PPM family. Read-only here.

projects · open roles · resources (read)

READ · direct

servicenow.requestTable APISOURCE

itsm.processors.ServiceNowIncident

Creates onboarding tasks, PMO assignment requests and SoD risk records via the Table API.

/api/now/v2/table/{request|incident}

WRITE · via Action Ticket

teams.postGraphSINK

collaboration.processors.TeamsSendMessage

Notifies managers and control owners for approvals and SoD escalations.

TeamsSendMessage · channel/chat

WRITE · via Action Ticket

⚠️Connectivity honesty: Planview in this library is read-only (PlanviewQuery; the only Planview sink is IdeaPush), so the resource assignment is booked via a ServiceNow request to the PMO, not a fabricated Planview write. Okta provisioning uses OktaUsersAndGroups; deprovisioning uses OktaContainment.

6🤖

Agent prompt (production)

🤖 System prompt

You are the Workforce Lifecycle Orchestrator (Joiner-Mover-Leaver).

## Operating rules
1. Read/reason freely across Workday, Neeyamo, Planview and Entra/Okta/AD.
2. You NEVER write directly. Every grant, revoke, payroll or provisioning action
   is an Action Ticket carrying a MOP; ProcBot executes, Sherlock validates.
3. Deterministic for: access by role template, leaver de-provisioning, standard
   payroll enrolment, the recertification workflow.
4. Non-deterministic for: non-standard / senior access, segregation-of-duties
   risk, ambiguous transfers, contractor edge cases.
5. Human approval before: any access beyond the role template, any SoD conflict,
   any leaver action on a privileged account.
6. Apply least privilege. Cite Workday as the source of truth for status.

## Tools
READ (direct): workday.wql, workday.raas, planview.query, entra.graph (enrich),
  okta.usersGroups (list), ad.query
WRITE (Action Ticket only): workday.writeback, entra.graph (create/grant/disable),
  okta.usersGroups (provision), okta.containment, ad.containment,
  neeyamo.employeeSync, neeyamo.payrollRun, servicenow.request, teams.post

## Output (every step)
{ "decision": "...", "path": "deterministic | non-deterministic",
  "confidence": 0.0,
  "action_ticket": { "mop": "...", "scope": "...", "approval": "auto | human" } | null,
  "evidence": [ { "tool": "...", "record": "..." } ],
  "message_to_user": "..." }

7🛡️

Execution governance — Action Ticket → MOP

No identity, access or payroll change reaches a system from the model. The agent reasons; an Action Ticket carries the MOP; ProcBot executes; Sherlock validates; the ticket is reversible. Non-template access, SoD conflicts and privileged-account leaver actions require human approval.

1 · Reason

Agent decides a grant / revoke / enrolment is needed.

→

2 · Action Ticket

MOP id, scope, parameters, approval level.

→

3 · ProcBot executes

Runs the Entra/AD/Okta or Neeyamo action. Model never writes.

→

4 · Sherlock validates

Confirms the entitlement state; closes or rolls back.

{
  "action_ticket": "AT-4006",
  "mop": "MOP-OFFBOARD",
  "approval": "human",   // privileged account
  "targets": [
    { "tool": "entra.graph",   "op": "disable",        "user": "EMP-2210" },
    { "tool": "ad.containment","op": "disable_account","user": "EMP-2210" },
    { "tool": "okta.containment","op": "clear_sessions+deactivate","user": "EMP-2210" }
  ],
  "then": { "tool": "neeyamo.payrollRun", "op": "final_settlement" },
  "validation": { "owner": "sherlock", "expect": "all identities disabled, apps revoked" },
  "reversible": true
}

8🔀

Data flow

flowchart TD A([Workday status change]) --> B{Event type} B -->|Joiner| C[Create identity Entra + Okta via ticket] C --> D[Access by template least privilege via ticket] D --> E[Payroll enrol neeyamo via ticket] E --> F[Resource assignment ServiceNow PMO request] F --> G{Beyond template?} G -->|Yes| H[Human approval] B -->|Mover| I[Template delta + SoD reasoning] I --> J{SoD conflict?} J -->|Yes| K[Escalate to control owner hold grant] B -->|Leaver| L{Privileged?} L -->|Yes| M[Human approval] L -->|No| N{{MOP-OFFBOARD}} M --> N N --> O[Disable Entra/AD/Okta final payroll · validate]

9🏗️

Systems touched

🧑‍💼 Workday — source of truth (read WQL/RaaS, write Writeback)

🌍 Neeyamo — global payroll enrol + final settlement

🔑 Entra ID — identity create + groups (MS Graph)

🔐 Okta — provisioning + containment

🗂️ Active Directory — LDAP query + containment

📋 Planview — resource demand (read-only)

🛠️ ServiceNow + Teams — tasks, PMO request, SoD escalation

10🗄️

Mock data (seed to demo)

Workday worker

Role template

Provisioning result

Neeyamo payroll

SoD conflict

// workday.wql SELECT Worker WHERE id='EMP-7781'
{ "id":"EMP-7781", "name":"Priya Sharma", "job":"Senior Data Engineer",
  "dept":"Data Platform", "location":"India", "manager":"EMP-3320",
  "startDate":"2026-06-08" }

// Role template: Senior Data Engineer
{ "entraGroups":["grp-data-eng"],
  "oktaApps":["Databricks","Jira","GitHub"],
  "license":"M365 E5" }
// Manager, Finance adds: ["grp-fin-approvers"]  (PO approval)

// AT-4001 entra.graph create_user
{ "userPrincipalName":"priya.sharma@corp.com", "objectId":"a1b2c3", "accountEnabled":true }
// AT-4003 access grant
{ "groupsAdded":["grp-data-eng"], "appsAssigned":["Databricks","Jira","GitHub"], "license":"E5" }

// AT-4004 neeyamo.employeeSync enrol
{ "employee":"EMP-7781", "country":"IN", "payrollStatus":"enrolled", "nextRun":"2026-06-30" }

// EMP-5540 mover: Analyst, Finance → Manager, Finance
{ "current":["grp-fin-creators"],        // can create POs
  "requested":["grp-fin-approvers"] }     // would also approve POs
// create + approve = segregation-of-duties conflict (SOX-relevant) → hold

11💬

Sample questions (conversational triggers)

The natural-language prompts this agent is built to answer. Each maps to the live scenarios below.

🚀"Onboard Priya Sharma (EMP-7781)."→ Scenarios 1–5

🔑"What access does EMP-7781 get on day one?"→ Scenario 3 (role template)

➕"Also give Priya production DB write."→ Scenario 6 (non-template approval)

🔄"EMP-5540 is moving to Finance Manager — update access."→ Scenarios 7, 9 (delta + SoD)

🚪"Offboard EMP-2210."→ Scenario 8 (privileged leaver)

⚖️"Any segregation-of-duties risks in Finance?"→ Scenario 9 (SoD detection)

🎯 Recommended demo run

Seed the mock data, then ask "Onboard Priya Sharma (EMP-7781)" — the agent walks scenarios 1→5. Ask for production DB write to trigger the approval gate (6). Then run the mover ("EMP-5540 → Finance Manager") to surface the SoD conflict (7, 9), and the leaver ("Offboard EMP-2210") for the privileged offboarding (8). Scenario 10 is quarterly recertification.

12🎬

Live scenarios (tool-execution traces)

ℹ️Ten runs across joiner, mover and leaver. Each step is a read (SOURCE), reasoning, an Action Ticket with a MOP, or an agent message.