Application offboarding policies

An important part of offboarding is ensuring that users have been removed from the apps that they have access to.

Typically we recommend building out an offboarding workflow which can contain the broad logic for the process, e.g. when it's initiated, who gets notified etc. 

This workflow will likely contain dedicated actions for key applications like identity providers, such as suspending and revoking access. 

Adding specific actions for every possible application that a user could have access to would be burdensome, and where API access is available, most applications have a straight-forward deactivation process.

The Offboard person from apps workflow action is a 'catch-all' action which aims to apply the best approach to offboarding for each application that Trelica knows the user has accessed, that hasn't already been dealt with by prior actions in your workflow.

'Offboarding person from apps' action

Offboarding processes ought to be completed in a timely manner. The action has two outputs in the workflow. One is when all actions are complete, and the second is followed if the Deadline for completing this step is exceeded. This defaults to 30 days after the step starts.

Task assignment

Where possible the action will automatically deprovision, but where there's no way to do this, tasks will be raised in Trelica.

By default these tasks will be assigned to the IT admin role, but you can change this to a different role or person. You can also specify a backup role or person if there's nobody configured for the specific app role you chose to assign to.

The Notify users on initial assignment checkbox can be turned off if you don't want a notification to be sent. Trelica notifications are automatically batched, so someone who manages lots of apps won't get sent multiple messages.

The Due date is the number of working days the person is given to complete the task.

Default offboarding logic

The basic logic to offboarding is that Trelica will try to automatically offboard or remove access. Where this isn't possible, a task will be raised.

The specific logic is shown below. 

Offboarding only applies to applications in the 'In review', 'Managed' or 'Plan to close' states.

The reason for this is to ensure that only relevant tasks are raised.

If an application is 'Ignored' or 'Accepted' then Trelica assumes that this state was assigned because you are aware of the use, but the application isn't actively managed, so offboarding tasks would not be relevant.

Group 40.png

Controlling on a per application basis

Each app has an offboarding policy. This is shown on the right-hand side of the app profile page, under Sources.

This will explain the default policy for the application. This is important because deprovisioning actions may vary from application to application.

Trelica understands three flavors of deprovisioning:

  • Suspend - user cannot login but is still billable and could be reactivated.
  • Deactivate - user cannot login and is not billable, but could be reactivated.
  • Delete - user is deleted (some applications may offer a 30 day grace period before fully deleting, but deletion is generally considered permanent)

The policy will show the deprovisioning action available.

In some cases Trelica cannot deactivate the user. This might be because the information about usage did not come directly from the application integration (e.g. maybe they were discovered by the Browser extension). In this case Trelica will fall back to creating a task.

You can choose to override the default policy, either to always create tasks, or to do nothing.

Doing nothing is useful where the application itself synchronizes with lifecycle source, e.g. some Learning Management Systems have built in synchronization with HR sources, so may well remove user access themselves.

Viewing actions

When the workflow runs you will see a panel showing how many of the total apps identified have been successfully offboarded.

Clicking on View Applications takes you through to a view of all the actions that have been completed.

You can also view and filter tasks on the Tasks list. It can be helpful to Group by Person, or by Application:

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.