Automate recovering or downgrading app account licenses

You can use Trelica to reduce unnecessary spending and optimize allocation of app account licenses.

The most efficient approach is to set up a workflow to identify unused or underused licenses and deprovision accounts automatically. 

Prerequisites

Before you configure an optimization workflow:

  • Make sure you have set up accurate sources of app login data. This can include direct app integrations, an integration with your Identity Provider (IdP) and/or enabling the Browser Extension.
  • Use spend and user engagement data to identify the apps for which it is worth creating an optimization workflow. 

For more information, see Optimize app licenses with Trelica

Configure an optimization workflow

You will need to set up a dedicated workflow for each app that you want to optimize app account licenses for.

The exact workflow logic will depend on your organization's needs and can include:

  • A step to engage with the app account or their line manager via Slack, Microsoft Teams or email to check whether they still need access to the app. For advice on what to cover, see Phrasing deprovisioning messages
  • A deprovisioning step for the app in question - either directly or via your IdP.
  • A step to create a task for the app owner or IT admin. This is useful for deprovisioning processes that require additional manual steps or for apps with integrations that do not support deprovisioning. 

To configure an optimization workflow, from the left-hand navigation, navigate to Workflows and then select Create. The New Workflow page is displayed. Select the Deprovision application account via integration template, then select Create. Alternatively, you can create a new workflow from scratch using the "License not in use" trigger.

Configure the "License not in use" workflow trigger 

Each optimization workflow is for a specific app. This is because the definition of an unused or under-used app license varies depending on the context. For example, a financial reporting app may primarily be used in the lead up to your organization's financial year end. In this case, you might set a threshold of 13 months. By contrast, licenses for video editing apps may only be justified if individuals are using the app at least once every two months.

Select the app for which you want to optimize app account licenses and configure the criteria for identifying unused licenses. By default, app accounts are considered not to be using an app if their last login date is earlier than the default "Unused account period" setting (configurable from Settings > Applications). To use a different setting for this workflow, select another threshold from the Inactive for list. For example, if the threshold is set to 60 days, each time the workflow runs any app accounts with  a "Last login" date more than 60 days in the past (or with no "Last login" date at all) will be identified.

Note that app accounts are not included in the workflow if they:

  • Do not have sufficient usage data. This includes app accounts with a "Account created date" or "Account discovered date" later than the "Inactive for" threshold or the default "Unused account period" setting (whichever is earlier).
  • Have a "License last changed" date later than the "Inactive for" threshold or the default "Unused account period" setting (whichever is earlier). 
  • Have been identified as a service account.

In addition, protected app accounts are never deprovisioned automatically. Instead, a Trelica admin user must confirm that the user should be deprovisioned.

license_not_in_use_trigger.png

In addition to optimization workflows, the "Licence not in use" trigger can be used with the "Person is 'Terminated'" option to remove access for app accounts that have left your organization.  You can use this option instead of a general offboarding workflow designed to remove employees' and contractors' access to multiple apps when they leave your organization. 

Add a deprovisioning step

Depending on the app integration, one or more for the following workflow steps may be available to deprovision app accounts or downgrade their licenses:

  • Change account license - Moves the app account to the specified license tier.
  • Suspend app account -  Deactivates the account so they cannot use the app, but they retain their license.
  • Deactivate app account - Deactivates the account so they cannot use the app and recovers their license.
  • Delete app account - Deletes account from the app.
  • Disassociate user from app via your IdP - This option is only available for apps that are managed by an IdP (such as Okta or Google Workspace) and which support deprovisioning via that IdP. The effect of disassociating a user via your IdP depends on the app, but will involve either suspending, deactivating or deleting the account. For more information, refer to the integration guidance for specific apps.
  • Deprovision the user - Removes the user's access to the app in one of the above ways and performs other app-specific steps as required. For more information, refer to the specific guidance for the relevant app. Note that this option will be deprecated in future and should only be used if other deprovisioning options are not available.

To add a deprovisioning step, select the + icon in the workflow outline and then filter the list of steps by the relevant integration. 

Adding workflow steps, filtered by the app integration.

For advice on the best way to configure deprovisioning for your organization, contact Trelica Support & Customer Success.

Add other steps to the optimization workflow

If you have configured the "License not in use" trigger to initiate a workflow run when an app account is either inactive or terminated, then you can add steps to each path. Alternatively, you can combine both criteria into a single path. 

To add further steps, select the + icon at the end of the outline. To add steps earlier in the workflow, select the node between steps. 

license_not_in_use_message_step.png

For more information about configuring workflow logic, see Building workflows.

Enable an optimization workflow

Once you are ready, enable the optimization workflow. Trelica analyzes the user login data for the selected app to identify inactive accounts.  If an account meets the criteria, a new workflow run is initiated.

You can view all workflow runs that have been initiated and their current status from the Workflow Runs page. From the Workflows page, select the number in the Runs column for the relevant workflow or from the context menu, select View runs. The Workflow Runs page is displayed, filtered by the selected workflow. Select a run to view more details. For more information about workflow runs, see Managing workflow runs

workflow_runs.png

You can also check whether a user still has access to an app from the Accounts tab of the relevant app page, or from the Apps tab of their person profile. 

If an optimization workflow is triggered for an app account that has been protected from deprovisioning, the deprovisioning step will not complete until it has been approved by a Trelica admin user. For more information, see Protect app accounts from automatic deprovisioning

If you have added a workflow step that creates a deprovisioning task, you can view and update the task from the Tasks list

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.