Employee Offboarding & Deprovisioning

Visual Flow

Rendering diagram…

When to Use This Pattern

Use offboarding orchestration any time the cost of lingering access is non-trivial:

• Employees with access to production systems, customer data, or financial tools
• Contractors whose scope ends at a specific date
• Partners or vendors whose contracts lapse
• Interns whose stint is over

Even in a small company, this can't be manual — it gets forgotten and becomes an audit finding or a breach vector.

How It Works

HR marks someone as terminated with an effective date and time. The workflow fans out to every department with offboarding responsibilities:

• IT: disable login, revoke SSH keys, rotate shared secrets the person knew, forward email
• SaaS ops: revoke licenses from every tool (reclaim the seats while you're at it)
• Facilities: recover laptop, badge, keys, any remote-work equipment
• Finance: close expense card, process final payroll, handle equity/benefits transitions
• Manager: knowledge transfer handoff, retain necessary documentation

Each lane is tracked. The workflow completes only when every lane confirms done. Incomplete lanes escalate loudly — a laptop that never came back is a known asset, not a mystery.

Implementation Guide

Step 1: Inventory systems that grant access

Every SaaS, every internal system, every shared credential. If you can't list it, you can't offboard from it. This alone typically uncovers long-tail tools no one was tracking.

Step 2: Map employee → access

Per role, per employee, what do they have? SCIM, SSO, IAM — whatever your setup, the source of truth must be queryable.

Step 3: Automate what you can

Anything behind SCIM or SAML deprovisions automatically. Where manual steps remain, make them tasks in a tracking system with owners and deadlines. "Send email to vendor X" is fine — just track it.

Step 4: Time it correctly

Voluntary: deprovision at end of last working day. Involuntary: deprovision before the conversation — use HR's advance notice and automate the cut at a scheduled time.

Step 5: Verify and report

At the end, generate a report: what was revoked, what was pending, what timed out. Close the loop explicitly. If anything is still pending 48 hours later, escalate to the manager's manager.

Tips & Best Practices

• Keep a shared secrets inventory. If they knew the VPN key, rotate it.
• Communicate with external parties. Customers and partners who had a direct relationship with the person should be proactively informed and re-assigned.
• Archive their work, don't delete it. Documents, code, tickets — leave the record for continuity.
• Preserve mailbox and records per retention policy. Legal holds trump deletion.
• Debrief quarterly. Missed steps are lessons. Fix the process, not the person.