New Hire IT Provisioning Checklist
Build an internal tool that turns each new hire into a complete, role-based provisioning checklist - accounts, equipment, app access, building badge - gets the hiring manager to approve the access list, dispatches every task to its owner, and tracks readiness down to the start date so nobody shows up without a laptop.
A login-protected provisioning tool: import new hires, generate a complete checklist from the role template (accounts, equipment, app access, badge), get the hiring manager (and app owners for sensitive access) to approve the access list, dispatch each task to its owner, track every task to done with a readiness countdown to the start date, and export the task list as CSV - with a hard rule that nothing is provisioned until a person approves it.
Before you start
- A free Vercel account
- A free Supabase account
- A free Resend account (and a sender address you can use)
- A new-hire list as CSV/sheet from HR (name, role, department, start date)
- Your role-based access/equipment templates (access profiles) as a sheet
The problem this kills
A new hire accepts. HR drops them into a spreadsheet. And then a quiet scramble begins: does this person need a laptop or a workstation? Which apps does a "Senior AR Analyst" actually get? Did anyone order the monitor? Who requests the building badge? Is the email account created? Did Security ever approve access to the financial system, or did someone just turn it on because the ticket looked routine?
In most teams, new-hire provisioning lives in a tangle of forwarded emails, a shared checklist that's three versions out of date, and a lot of "I thought you were handling that." Tasks fall between IT, Facilities, and the app owners. People over-provision out of habit - giving everyone admin "to be safe" - which is exactly what auditors flag. And every few months someone shows up on day one with no laptop, no email, and no way to badge into the building, while their manager apologizes.
This tool replaces the scramble with a clear, role-driven checklist - one that a person approves before anything is provisioned, and that tracks itself to done before the start date.
What you'll build
A small internal web app, just for your team, that:
- Imports your new-hire list from a CSV or sheet (name, role, department, start date, manager).
- Reads your access profiles - the role-based templates that say "this role gets these accounts, this equipment, these apps, this badge" - and generates a complete provisioning checklist for each new hire automatically.
- Applies least-privilege defaults: a role gets exactly what it needs, nothing extra, so you stop handing out access by habit.
- Sends the hiring manager the generated access list to approve - with a separate, stricter gate for sensitive apps and data that need an app/data owner's sign-off.
- Dispatches each approved task to its owner (IT for the laptop, Facilities for the badge, an app owner for that system) via email, only after approval.
- Tracks every task to done with a live readiness countdown to the start date, so you can see at a glance who is "ready" and who is at risk.
- Dedupes on new-hire ID so the same person can't be provisioned twice.
- Exports the provisioning task list as a CSV in the exact columns your IT/IAM (identity and access management) tool expects.
What's inside the Implementation Plan
The plan is a single markdown file you paste into Claude Code (a free AI coding agent). It walks the agent through building the whole tool, step by step, each step ending with a ready-to-paste prompt.
The most important part: the plan opens by interviewing you about your business. Before it writes a single line, the agent asks how new hires reach you today, what your access profiles actually look like by role, the real field names and codes in your HR feed, which apps count as "sensitive" and who owns them, your typical and peak hiring volumes, your exact approval rules, and your messiest edge cases (contractors, rehires, role changes mid-onboarding, a start date that moves). It reads a short tailored spec back to you, you confirm it, and only then does it build - so you get a tool shaped to your provisioning process, not a generic template you have to bend to fit.
Inside you'll find:
- The discovery interview and how the agent turns your answers into role templates and a data model.
- The full build: database, login, new-hire import with duplicate guards, the checklist generator, the manager approval gate (plus the sensitive-app gate), task dispatch, the readiness countdown, and the audit trail.
- The hard human-in-the-loop gate so nothing is provisioned without sign-off.
- Verification steps so you can prove it works, and the CSV-export fallback so it's fully usable even before you connect it to your IAM tool.
The governance it includes (this is the point)
This isn't a toy. The plan builds in the controls an IT and security team actually needs:
- Login so only your team can see or touch anything.
- Row-level security so people only see the new hires and tasks that belong to your organization.
- A complete audit trail - every generated checklist, approval, rejection, dispatch, and completed task is logged with who and when.
- A hard human-in-the-loop gate - the AI drafts the access list, but the hiring manager (and app owners for sensitive access) must approve; nothing is dispatched or provisioned automatically.
- Least-privilege by default - roles get exactly what they need, and over-broad access has to be deliberately added and approved, not handed out by habit.
- Duplicate guards so the same new-hire ID can't be provisioned twice.
Who it's for
IT onboarding coordinators, IT help desk leads, and people-ops/HR partners who own the new-hire experience - and who are tired of day-one surprises, over-provisioned accounts, and tasks lost between teams. You don't need to write code. You need your new-hire list, your role-based access profiles, and an afternoon-to-a-weekend.
You've got this - paste the first prompt and let the agent interview you.