Offboarding Employees in Lumos

Last updated: October 7, 2024

Background

A (sort of) universal truth: just as people join companies and need access to all these Saas apps, they also leave companies and need to be removed from their Saas apps. 

But, how do you actually accomplish this? How do you even know all the apps that they need to be removed from?

It's all about visibility & automation. And, of course, setting configurations in place so it works for the next 1, 2, 3... 500 offboardings!

This article outlines the key steps of one-click offboarding in Lumos - let's get started!

Pre-Work: Configure Automated Removal Actions

If you connected integrations in Lumos to take advantage of automated removal workflows, you can configure the removal actions ahead of running your first offboarding. 

Navigate to your Integrations page:

1. If you haven't already, connect your integrations by clicking on the card from the list of available integrations.

2. Once connected, click on the integration and navigate to the 'Integration' tab. 

3. Configure the removal actions you want to run during offboardings and click 'Save Changes'.

If empty, this means that Lumos will not run any actions when running an offboarding. (Note: This will set your "global" offboarding settings, but you can always edit these configurations if running an offboarding one-off). 

For certain actions, like Transfer Data, you'll be able to configure a user on the step - this can be a named individual or manager, where applicable. 

Please note that you can also drag to reorder these steps!

Pre-Work: Configure App Admins

With Lumos, we can not only automate removals for certain apps, but we understand that some applications may require manual action from app owners to deprovision users. 

You can configure these as your running an offboarding, but you can also configure app admins ahead of time by navigating to the Apps table, clicking into an app, and naming an app admin by clicking the circle under "App Admins".

Reminder: Apps that are in your AppStore will already have App Admins!

[Optional] Pre-Work: Configure Automated Offboarding Settings

If you visit your Lifecycle Management Settings, you should see an option to configure Automated Offboarding.

You can configure your Offboardings to run immediately upon deactivation. This means that upon detection of status change for a User account (I.e. Active status -> Inactive status), Lumos will trigger an offboarding to run. [This will not be exactly in real time and you may see a delay for up to 1 hour post-detection in Lumos.]

Alternatively , if you have End Date configured in your Source of Truth Settings, you can alternatively configure your Offboardings to run x days after End Date in Lumos at a particular time on the hour. 

The "Apps to Include" setting by default allows two different ways to configure how to determine which accounts/apps to include as part of an Offboarding. You can read more about this here: 📄 Excluding Apps from Offboardings

_______________________________________________

Step 1: Go to the user's page

So you've received the news from HR that an employee is leaving the company.

It's their last day, and at 5pm, you're ready to offboard them.

In Lumos, go to the Users tab, and select the user you want to offboard. 

Step 2: Click "Start Offboarding"

Where is the button?

You'll be shown a modal with all the apps that this user may need to be removed from. You will be able to run this Now or Schedule this at a particular time in the future!

Here's a breakdown of the categories in the modal (please note that this will soon be deprecated!):

  • Auto

    These are apps where we have the ability to automatically remove the user's access via your IdP (e.g. Okta) or directly from one of our direct Lumos integrations. 

  • Manual

    These are apps where we do not have the ability to automatically remove the user's access. While we can surface these for you, it will require a manual step for that app's admin to remove the user's account. If you have an app admin set on these apps, you'll be able to notify them from Lumos! 

  • Ignored

    These are apps that Lumos will ignore as part of the offboarding workflow. By marking an app as ignored, this will move the app into your Ignored tab. 

[Optional] Step 3: Configure your offboarding types!

Note: If you read the Pre-Work section from above, you may have already configured this, but you can set these changes Globally from this modal if you need. Again, don't forget to hit "Save Changes"!

Before you hit "Offboard Now", you will want to make sure that "Offboarding Type" is correct for each app and that the proper offboarding workflows have been set for your "Auto" offboarding apps. 

📣 Go through the apps and set "Offboarding Type" to "Exclude" for ones you don't want to include in offboarding. 

📣 Go through the Auto offboarding apps and set "Offboarding Type" to "Manual" for ones you don't want automatically offboard. You'll be able to notify the app admin after kicking off Offboarding.

Maybe you have a special workflow in place for offboarding a particular app, and you don't want to immediately suspend/deprovision the user. You can make this app "Manual" and offboard them to your own specifications. 

📣 Go through the "Auto" offboarding apps and make sure the workflow is configured (where applicable). 

For some apps, this is as simple as selecting the checkbox(es) that you want to fire (e.g. "Suspend User", "Deprovision User"). For others, like Google Workspace, you'll also have the option to reroute email and transfer data, so you'll have the option to select manager if you have that mapped in Lumos or set the email that you'd like to reroute emails/transfer data to. Don't forget to hit 'Save'!

Step 4: Run the offboarding!

Click on "Start Offboarding" & sit back while apps get offboarded automatically. 

All Manual apps should automatically kick off deprovisioning requests to app admins. 

Once confirmed, you should see the Account Status change to "Manually Removed". This will also show in the Activity Log. 

The user's status should change to Inactive and you'll see statuses for apps change from Active to Suspended or Deprovisioned.

Step 5: Complete Offboarding!

Once you have fully removed your user from your Auto/Manual apps, click "Complete Offboarding" at the top right to formally complete your Offboarding. Note: This will mark the In Progress apps as Manually Removed, so complete this process only when you've completed all the removals. 

🗣 Bonus Pro-tip! 🗣

Do you already have an offboarding workflow in place? Maybe you have some automated workflows that talk to your IdP and revoke access when an employee leaves your company.

Here's what we have to say to that:

Run one click offboarding afterwards from Lumos.

See if there's anything that you missed in your existing workflow. You never know what you might find.  👀

FAQs

Why did one of my Manual account not kick off a removal task?

Please check to see if there's an app admin set on that application. If there isn't, you can update the app to set an app admin. You'll should see a button that says Request Removal for that account. (You can do this from the "Request Removal" button or select multiple accounts and click "Removal Removal" in bulk.)

This will change the Account Status to "Waiting manual removal" and will notify the app admin(s) on the app to confirm that they've removed the user from that app.

If you click the three dots on the account, you may see options to "Cancel Next Step" or "Mark as Done". 

"Cancel Next Step" will cancel the offboarding for that particular account. This is irreversible!

"Mark as Done" will mark the Account Status as Manually Removed. This is the equivalent of confirming the request removal notification above.