While there are many ways into an organization via user onboarding, there are usually only one or two ways out of an organization for offboarding. Generally, all users need to have their password changed, be removed from groups, have assets transferred to their Manager (or someone else) and, after a hold period, have their account deleted/removed from the organization.
As with onboarding, usually a Workflow will need to be triggered via a manual action, such as adding a user to a "leavers" organizational unit/group, or deactivating a user in a specific application (most often Google, O365, or Okta). Once you’ve defined your offboarding process, you can set that process as your WHEN (and optionally IF) in the Workflow Builder. Downstream, you can then set up all THEN actions which need to be performed on the user(s) who meet the offboarding conditions.
This article will explain how to build your offboarding process from start to finish within Workflow Builder. If you know what your WHEN/IF triggers should be, or they've been defined via your template, you can start the video here, at the 1:43 mark.
IMPORTANT: Before beginning offboarding, you’ll want to ensure that the Manager field for each user is filled in through their Profile. If the Manager field is not filled in, transfers will not be successful.
By the end of this video, you will be able to...
- Explain why having the Manager field filled in for all users is critical for offboarding in BetterCloud
- Understand what your WHEN trigger should be, adding it to the Workflow Builder
- Understand that all steps are sequential and will run in the order they are listed
- Select the user who started the Workflow dynamically in required THEN actions
- Define all manual steps that are being performed in your organization, and find correlating THEN events that should run for the user being offboarded
- Build in wait periods via Wait for Duration and approval steps via Wait for Approval (if required)
Automating across numerous applications is possible with "Plus" versions of BetterCloud
Why is Offboarding Important?
If offboarding isn't performed properly, users who leave an organization may still have access to data within the organization. This continuing access is a security issue, as well as an intellectual property issue. Time and time again, we’ve seen clients state that offboarding (done manually) is being done properly, only to find that former employees still have access to files, calendars, groups, or active logins. Scripting offboarding via a Workflow ensures all actions are being completed in an automated way, removing human error, and creating a log of all actions that have been run.
Important Note Regarding Suspending a Google User
If you suspend a user in Google as your WHEN trigger, it’s important to know that this suspension will make some of your offboarding actions impossible, such as setting forwarding or delegating email access. Additionally, if you’re using Okta to disable a user and you also use Google, oftentimes disabling the user in Okta will also suspend the Google user. In these scenarios, before running any Google actions, you’ll want to un-suspend the user in Google. You can then run all your Google actions (change password, transfer calendars, files, and groups, remove from groups, etc). Once you've run all actions in Google, you can then suspend the user again as one of your final Workflow steps.
- Use Case: Four Deprovisioning Examples
- Use Case: Deprovisioning an Okta User
- Anatomy of the Perfect BetterCloud Offboarding Workflow
Now that you have a grasp on very complex Workflows like onboarding and offboarding, you’ll want to ensure these are working as expected. To do so, check out our next module, Evaluating Workflow Results, by clicking here.