You can use Trelica to reduce unnecessary spending and optimize allocation of app user licenses.
The most efficient approach is to set up a workflow to identify unused or underused licenses and deprovision users automatically.
Prerequisites
Before you configure an optimization workflow:
- Ensure you have set up accurate sources of app login data. This can include direct app integrations, an integration with your Identity Provider (IdP) and/or enabling the Browser Extension.
- Use spend and user engagement data to identify the apps for which it is worth creating an optimization workflow.
For more information, see Optimize app licenses with Trelica.
Configure an optimization workflow
You will need to set up a dedicated workflow for each app that you want to optimize app user licenses for.
The exact workflow logic will depend on your organization's needs and can include:
- A step to engage with the app user or their line manager via Slack, Microsoft Teams or email to check whether they still need access to the app. For advice on what to cover, see Phrasing deprovisioning messages.
- A deprovisioning step for the app in question - either directly or via your IdP.
- A step to create a task for the app owner or IT admin. This is useful for deprovisioning processes that require additional manual steps or for apps with integrations that do not support deprovisioning.
To configure an optimization workflow, from the left-hand navigation, select Admin > Workflows and then click Create. The New Workflow page is displayed. Select the Deprovision application user via integration template and click Create. Alternatively, you can create a new workflow from scratch using the "License not in use" trigger.
Configure the "License not in use" workflow trigger
Each optimization workflow is for a specific app. This is because the definition of an unused or under-used app license varies depending on the context. For example, a financial reporting app may primarily be used in the lead up to your organization's financial year end. In this case, you might set a threshold of 13 months. By contrast, licenses for video editing apps may only be justified if individuals are using the app at least once every two months.
Select the app for which you want to optimize app user licenses and configure the criteria for identifying unused licenses. By default, app users are considered not to be using an app if their last login date is earlier than the default "Unused account period" setting (configurable from Settings > Applications). To use a different setting for this workflow, select another threshold from the Inactive for list. For example, if the threshold is set to 60 days, each time the workflow runs any app users with a "Last login" date more than 60 days in the past (or with no "Last login" date at all) will be identified.
Note that app users are not included in the workflow if they:
- Do not have sufficient usage data. This includes app users with a "User created date" or "User discovered date" later than the "Inactive for" threshold or the default "Unused account period" setting (whichever is earlier).
- Have a "License last changed" date later than the "Inactive for" threshold or the default "Unused account period" setting (whichever is earlier).
- Have been identified as a service account.
In addition, protected app users are never deprovisioned automatically. Instead, a Trelica admin user must confirm that the user should be deprovisioned.
Add a deprovisioning step
Depending on the app integration, one or more for the following workflow steps may be available to deprovision app users or downgrade their licenses:
- Change user license - Moves the app user to the specified license tier.
- Suspend app user - Deactivates the user's account so they cannot use the app, but they retain their license.
- Deactivate app user - Deactivates the user's account so they cannot use the app and recovers their license.
- Delete app user - Deletes user's account from the app.
- Disassociate user from app via your IdP - This option is only available for apps that are managed by an IdP (such as Okta or Google Workspace) and which support deprovisioning via that IdP. The effect of disassociating a user via your IdP depends on the app, but will involve either suspending, deactivating or deleting the user account. For more information, refer to the integration guidance for specific apps.
- Deprovision the user - Removes the user's access to the app in one of the above ways and performs other app-specific steps as required. For more information, refer to the specific guidance for the relevant app. Note that this option will be deprecated in future and should only be used if other deprovisioning options are not available.
To add a deprovisioning step, click the + icon in the workflow outline and then filter the list of steps by the relevant integration.
Add other steps to the optimization workflow
If you have configured the "License not in use" trigger to initiate a workflow run when an app user is either inactive or terminated, then you can add steps to each path. Alternatively, you can combine both criteria into a single path.
To add further steps, click the + icon at the end of the outline. To add steps earlier in the workflow, click the node between steps.
For more information about configuring workflow logic, see Building workflows.
Enable an optimization workflow
Once you are ready, enable the optimization workflow. Trelica analyzes the user login data for the selected app to identify inactive users. If a user meets the criteria, a new workflow run is initiated.
You can view all workflow runs that have been initiated and their current status from the Workflow Runs page. From the Workflows page, click the number in the "Runs" column for the relevant workflow or from the context menu, select View runs. The Workflow Runs page is displayed, filtered by the selected workflow. Click a run to view more details. For more information about workflow runs, see Managing workflow runs.
You can also check whether a user still has access to an app from the "Users" tab of the relevant app page, or from the "Apps" tab of their person profile.
If an optimization workflow is triggered for an app user that has been protected from deprovisioning, the deprovisioning step will not complete until it has been approved by a Trelica admin user. For more information, see Protect app users from automatic deprovisioning.
If you have added a workflow step that creates a deprovisioning task, you can view and update the task from the Tasks list.
Comments
0 comments
Please sign in to leave a comment.