BCEL1014a: What Is My Offboarding Trigger for Google?

Follow

Why Select Google?

If Google is your source of truth, you’re using it as an IdP or your HRIS (such as SaplingHR) pushes users to Google, you’ll very likely want to start your offboarding process with a Google trigger. Your available triggers can be seen below:

When

 

If

 User is Suspended

   (n/a)

 User added to Group

 

 Group is [enter Group name]

 User added to OU

 

 OU is [enter OU name]

In the sections that follow, you’ll find a breakdown of the pros, cons, use cases, and things to keep in mind when selecting your trigger for Google!

OPTION: User added to OU + OU is [offboarding OU]  (BetterClouders Most Common Method)

Adding a user to an offboarding organizational unit in G-Suite is the most common way we see BetterClouders begin their offboarding process. This is because a user may only belong to one organizational unit (making it more reliable than Groups) and you’re able to track everyone who is being offboarded, or has gone through the offboarding process (more accurate than User is Suspended). If you’re employing the use of organizational units, it’s very likely that you have an offboarding OU. If you don’t, this would be a great time to create one! 

If you’re considering different triggering options, here’s a list of pros and cons when it comes to offboarding users via an offboarding OU:

Pros

 

Cons

 All offboarded users are kept in one place

 

 Slight delay before full access is cut

 Users cannot belong to more than one OU

 

 Action cannot be synced from an HRIS

 OUs can have permissions settings defined

   

 Allows for email delegation and forwarding

   

 

OPTION: User is Suspended

If your first step to begin offboarding a user, or locking them out from your instance of Google, is to suspend the user, there’s a few things to keep in mind. 

Pros

 

Cons

 Access is cut instantly

 

 Emails bounce when sent to the user

 HRIS/IdP suspend may push to Google

 

 Prevents email delegation

Suspending a user is a perfectly acceptable way to remove a user’s access and begin offboarding. When BetterCloud receives the notification that a user has been suspended, the offboarding process begins. The first few steps of this process will often be to unsuspend the user, change their password, and remove any devices from gaining access to the system. 

 If you don’t need emails to be delivered, forwarded to a Manager, or delegation to occur, you would be able to re-suspend the user at the end of the process. However, if you have a legal hold, you may put a delay into the process and hold the users account for 30, 60, 90, or how many ever days you require until you’re ready to delete the user account entirely.

 OPTION: User added to Group + Group is [an offboarding group]

You may be adding an employee to a group to identify them as someone leaving shortly, or who has just departed. In this case, if you have a “leavers” or “offboarding” group, you’ll want to select the User Added to Group trigger, and define your offboarding group. In this case, when a user is entered into this specific group, your offboarding process will start.

If you’re still deciding what your trigger should be, here’s a few pros and cons to using a Group as your offboarding trigger for BetterCloud:

Pros

 

Cons

 Organizes users going through offboarding

 

 Short sync to BetterCloud

 Can open up the process to non-admins

 

 No inherit security

Why Wouldn’t You Select Google?

Do you have another application that is your source of truth that also connects into BetterCloud? In this case, you may want to use this application, then have that move the user to their offboarding OU, reset their password, suspend the user, or whatever actions you’d like to perform downstream.

Are You Using an HRIS or IdP?

If you’re using an HRIS or an IdP, does this push changes to Google? If so, it will make sense to use Google as your starting point (unless the HRIS or IdP integrates with BetterCloud, then in this case, use that application). Please keep in mind what change is pushed to Google. Oftentimes, disabling a user in your HRIS or IdP will also suspend the Google user. If so, you’ll want to make sure you unsuspend the user in Google to reset their password, start email forwarding, delegate email access, transfer files, and other secondary actions that you may need to perform to ensure a seamless offboarding and transition of information to another employee.

What Are My Other Options?

As mentioned in a couple of the questions above, please consider all of the apps you have integrated with BetterCloud. If you’re integrating with Okta, OneLogin, Namely, or have custom triggers from an HRIS (via our Custom Integrations service), you may want to review these options first. They’ll likely be your best option.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request