Automate employee offboarding

When someone leaves your organization, it's important to remove their access to your internal systems, as well as any apps and websites that they logged in to for work. You can use Trelica to manage the process of offboarding employees and contractors from your SaaS stack and to keep records for audit purposes.

To automate employee offboarding, you need to configure an offboarding workflow, as explained below.

Offboarding prerequisites

Automatic offboarding requires an accurate termination date for each employee or contractor. You specify the source of this information by setting the lifecycle source. This is usually an HR system or your Identity Provider (IdP).

You can also enter individuals' termination dates manually from the People directory. This is useful when testing offboarding workflows.

Configure an offboarding workflow

You can configure one or more workflows to revoke individuals' access to apps when they leave your organization. The exact workflow logic will depend on your organization's needs and can include:

An approval process to confirm that the individual should be offboarded. This is useful if you are concerned that your lifecycle source may supply incorrect termination dates, or if you want to revoke an employee's access before a termination date has been entered in your IdP or HR system.
Steps to deprovision users from specific apps, including your IdP and any other apps that support deprovisioning via an integration (such as Zoom).
A general step to identify any other apps that a user still has access to and either revoke their access automatically or create tasks to instruct app owners to remove access manually.
Steps to identify any devices currently assigned to the person leaving and lock them via your device management system.
Any standard workflow steps, including notifications via Slack, Microsoft Teams or email to the individual or their line manager.

To configure an offboarding workflow, select Workflows from the left-hand navigation and then click Create. The New Workflow page is displayed. Select the Offboard employee template and click Create. Alternatively, you can create a new workflow from scratch using the "Person leaves" trigger.

Configure the "Person leaves" workflow trigger

The offboarding workflow uses the "Person leaves" trigger. This trigger initiates workflow runs based on individuals' termination dates.

Configure the trigger options as required:

You can restrict the workflow to employees or contractors, or create one workflow for both person types.
The workflow is triggered automatically when the individual's termination date (provided by your lifecycle source) matches the current date. You can specify when the workflow runs relative to that date. This is useful if you want to start the process a few days before or after the individual's termination date. Triggering the workflow manually overrides this setting.
To require a Trelica admin to confirm that the individual should be offboarded before the workflow steps are executed, select Require approval before continuing to next step. When this option is selected, the workflow run is listed with a status of 'Needs input'. Alternatively, you can send a Slack, Teams or email notification to the person's line manager and ask them to confirm whether offboarding should begin using buttons embedded in the message.
Note that if an individual belongs to a team that has been protected from deprovisioning, approval will be required regardless. For more information, see Offboard individuals automatically below.

You can specify the trigger time in the person's time zone or in UTC. If the leaver's termination date or time zone is changed so that the workflow should have triggered in the past, the workflow will be triggered within an hour (if Person's time zone was selected) or at the specified time on the following day (if UTC was selected).

Add deprovisioning steps for specific apps

If you used the 'Offboard employee' template, the 'Offboard person from apps' step is included by default. We recommend adding deprovisioning steps for specific apps before the 'Offboard person from apps' step.

The deprovisioning steps available depend on the integrations you have configured, the app's capabilities, and whether app users are managed via your IdP. One or more of the following deprovisioning options may be available for supported apps:

Suspend app user
Deactivate app user
Delete app user
Disassociate user from app via [identity provider]

To add a deprovisioning step, click the node above 'Offboard person from apps' step and then filter the list of steps by the relevant integration.

By default, each workflow step must complete successfully before the next step can begin. If you want to initiate multiple deprovisioning steps at the same time, add the steps to a group. This is useful if you want to include multiple app-specific deprovisioning steps that do not depend on each other. For more information, see Running steps in parallel with groups.

Configure the 'Offboard person from apps' step

The 'Offboard person from apps' step is designed to be used after any app-specific deprovisioning steps. This step identifies any remaining apps to which the user still has access and either revokes access or creates an offboarding task depending on the application's deprovisioning policy.

For any apps that the individual accessed via OpenID Connect single-sign-on (for example, by using a 'Sign in with Google' option), Trelica will revoke the user's OAuth token. If the individual has been deprovisioned from Google Workspace via a prior workflow step, this step will prevent them from logging in to the app again using their business email address.
Trelica will try to automatically offboard the user either through a direct API connection, or via the identity provider (where SCIM is enabled).
Failing that Trelica will create an offboarding task to request that the individual's access to the app is removed. You can assign offboarding tasks to the user in the Owner or IT Admin role for the app, or to another person in your organization. Once the assignee has revoked the individual's access to the app, they mark the task complete in Trelica. For more information about checking the status of these tasks, see Viewing the status of offboarding below.
See Application deprovisioning policies for a full description of how this logic works, and how to manage policies for individual apps.

The workflow advances automatically to the next step once all the offboarding tasks are marked as complete or once the 'Time limit to respond' period has elapsed, whichever is first.

For more information about adding workflow steps and enabling workflows, see Building workflows. Once enabled, the workflow will run automatically when the trigger criteria are met. You can also run the workflow manually.

Delay a step

You may want to delay one or more workflow steps until after the individual's termination date. For example, while you might configure the "Person leaves" trigger to run on the leaver's termination date so that access to key systems is removed immediately, you might want to delay deleting their email account until a line manager or colleague has had time to check their inbox.

You can delay workflow steps by adding a "Wait" step. You can either specify a period of time or a point in the future relative to the person's termination date or the date on which the workflow was triggered. When specifying a defined date, you can choose whether to use the leaver's time zone or UTC.

If the leaver's termination date is changed after the wait step has begun and the "wait until" date and time are now in the past, the next workflow step will run at the specified time on the next available date. For example, if "wait until 5pm (in the person's time zone) on the person's termination date" is applied, and an individual's termination date is changed after 5pm on their new termination date, the next workflow step will run at 5pm the following day.

Offboard individuals automatically

When an offboarding workflow is enabled, the workflow will run automatically for each individual that matches the trigger criteria. Note that the time zone for all workflows is UTC, rather than the leaver's local time.

If approval was required as part of the trigger criteria, or the individual belongs to a team that is protected from automatic deprovisioning, the workflow run is initiated and paused with a status of 'Needs input' until a Trelica admin user (or a user in the IT or HR role) approves it.

To check if any workflow runs require approval, select Admin > Workflows and locate the offboarding workflow in the list. The Status column indicates the number of runs requiring input; click the number in the Runs column to view the list of workflow runs and either approve or abort individual runs. For more information, see Managing workflow runs.

Offboard individuals manually

You can trigger an offboarding workflow manually from the People directory. This is useful if:

You need to revoke someone's access in advance of the official termination date recorded in the lifecycle source.
An individual's termination date was recorded in your lifecycle source after the date on which the workflow would have been triggered. (This can happen is the workflow is configured to run two days before the person's termination date, and the date is only entered into the lifecycle source one day before their departure.)

Any approval requirements are skipped when you trigger an offboarding workflow manually.

By default, only Trelica users in the Admin role can trigger workflows manually. To grant access to users in other roles, such as HR or IT staff, edit the workflow settings and add the role to the workflow.

To trigger offboarding manually, open the People directory, click the individual's name to open their profile and then expand the context menu and select Offboard.

Alternatively, open the People directory and use the checkboxes to select up to 20 individuals and then at the top of the page select Offboard.

If the workflow is not listed or the offboarding option is not available, ensure that the workflow is enabled.

Next steps

Once you have enabled an offboarding workflow, you can check whether offboarding has been completed for individuals from the People directory. You can also view the details of the offboarding process for each individual from the Workflow runs page. For more information, see View the status of automated onboarding and offboarding.