Protect app accounts from automatic deprovisioning

You can protect individual app accounts or members of particular teams from deprovisioning. This is useful if you have configured workflows to deprovision users if they're not using their license or have left your organization, but have some app accounts that should not be deprovisioned automatically.

Protect individual app accounts

To protect a user of a particular app from being deprovisioned for that app:

1. From the Apps inventory, open the relevant app.
2. Open the Accounts tab. The app accounts are listed.
3. Select the context menu on an account row, or use the checkboxes to select multiple accounts and then expand the list context menu.
4. Select Protect account(s). The accounts are protected from automatic deprovisioning for that app.

To remove protection, open the context menu again and select Unprotect account(s).

Protect a team

To protect all members of a particular team from deprovisioning for any apps:

1. Navigate to Settings > Applications.
2. Select Teams protected from deprovisioning. Any teams that have been protected are listed.
3. Select the field to expand the list, then select the teams you want to protect. All members of the team are protected from automatic deprovisioning for any apps. Selecting a parent team will protect all members of that team and any child teams.

To remove protection, remove the team from the list of Teams protected from deprovisioning.

Deprovision protected users

If you attempt to deprovision a protected accounts from the app list manually, a warning is displayed. To ignore the warning and remove the user's access to the app, select a reason, then choose Suspend, Deactivate, or Delete as appropriate.

If a protected user is the subject of a deprovisioning workflow, when the workflow run for that user reaches a deprovisioning step for a relevant app, the run is paused with the status "Needs input". The deprovisioning step must be approved by a Trelica admin user before the workflow run can continue.

To check for workflow runs that require input and to approve or cancel deprovisioning steps:

1. Navigate to Workflows. The list of workflows is displayed.
2. Select Status and filter the list by Needs input. Workflows with one or more runs requiring input are listed.
3. Identify the relevant deprovisioning workflow and select the number in the Runs column to view a list of the workflow runs requiring input.
4. Select the workflow subject to open the individual run page and review the details.
5. Select the relevant workflow step and choose whether to unprotect the user or skip the deprovisioning step for that app and move on to the next step of the workflow.

For more information, see Managing workflow runs.