Creating An Inactivity Workflow
Last updated: October 8, 2024
Background
If you're ready to set up your first Inactivity Workflow, you're in the right place! Seeπ Inactivity Workflows 101
This article will walk you through the different configuration options for an Inactivity Workflow so that you can create the workflow that best meets your requirements.
Let's jump in! π
Video walkthrough
Our product manager, Sean, walks you through the process of creating an inactivity workflow below!
Finding your app
To create a workflow for an app, search for the app in your Apps page, click on the Inactivity Workflows tab, then click Add a Removal Workflow.
Define the trigger
If the conditions in the Trigger section are met, your workflow will send a notification to the person who needs to make a decision on whether access is still needed.
Excluded Users
You can define groups here (IdP or email provider-based) or individuals for whom the workflow will not run.
If someone is in an excluded group or is added to the list, the workflow will not run for them even if all other trigger conditions are met.
Best practice here is to add groups of people for whom you know removing access would create a problem. For example, removing Salesforce for salespeople, or removing any access for company executives. π
Permissions
If you only want the workflow to target people that have a specific type of license or permission, you can select the permission here.
The options available can come from multiple sources, including:
An app integration
If the app is integrated with Lumos, and that integration supports pulling in roles, licenses, or other entitlements, they'll be available to select. See π What's the difference between an App and an Integration?. Entitlements you see here that are sourced from a Lumos integration (with a Lumos logo) are only sourced from that specific integration connection.
An IdP
Groups from your IdP will be available to select.
All groups in your IdP are available to select here, even those not associated with the workflow app. Make sure you select the right groups!
Manually-imported data
We recommend only using manual (CSV) uploads for inactivity workflows if you're keeping the data updated frequently. Seeπ Adding custom data to your apps
Source
The priority order in which Lumos will look for activity or login data to use for the workflow. In general, Lumos prioritizes data from a direct integration connection over an IdP.
Inactivity Time
This determines the number of days that an account can be "inactive" before the workflow triggers.
The default value is 90 days, but can be changed to whatever works best for you.
If the app has Last Activity orΒ Last Login data, we evaluate the most recent of the two for the workflow unless the app explicitly mentions using different logic in the workflow setup.
So for example, if someone had a Last Login of 90 days ago, but had Last Activity of 45 days ago, and theΒ Inactivity Time was set to 90 days, the workflow would not fire because there was activity under the threshold.
Additionally, if an app is integrated to Lumos but merged with your IdP app, the Last Login value will pull first from the direct integration if that data is available. If the data is not available via the integration, it will be sourced from the IdP (if available). Seeπ Merging Lumos Apps
Accounts with no Last Login or Last Activity values are not in scope for removal by Inactivity Workflows, so accounts without any login/activity will never trigger an inactivity workflow.
Define the review process
Once you've defined when the workflow will trigger, you need to define the process for reviewing that access, including who will be notified and how long to wait for a response before taking action.
Notifications sent to reviewers follow your notification settings.
Notification Flow
This determines who will get notified first when the workflow triggers.
Workflows only require one decision to advance or terminate! If two people are assigned as a Workflow Reviewer, only one needs to make a decision for the workflow.
As a rule, we generally recommend asking the Account Owner first -- they'll know best whether they still need access and this can prevent any emergencies from lost access.
Account Owner & Workflow Reviewer
The employee who owns the inactive account will get the first notification. If they don't respond to the notification within the Ignore Threshold, then it goes to the dedicated reviewers you define in Workflow Reviewer.
The Account Owner can still make a decision after the Workflow Reviewer receives a notification! Today, Workflow Reviewers are not notified when the Account Owner makes a decision, even after receiving a notification.
Workflow Reviewer
The dedicated reviewer(s) that you choose in the Workflow Reviewer section will get the first and only notification and will be asked to take action.
Account Owner
The employee who owns the inactive account will get the first and only notification and will be asked to take action.
None
When the workflow triggers, it goes straight to the Removal workflow you created without review. Use this option only if you're certain that inactive accounts should be removed!
Workflow Reviewer
If your Notification Flow is set to send the decision to a Workflow Reviewer, this is where you configure the reviewers who would make that decision.
You can only select individuals, but you can choose as many individuals as you want.
Ignore Threshold
This represents the number of days that Lumos will wait for a reviewer to respond to a notification before taking the next action.
The next action after the threshold is reached depends on the stage of the workflow and your workflow setup.
If you're waiting on the Account Owner and your Notification Flow is "Account Owner & Workflow Reviewer" - The Workflow Reviewer will get a notification and be asked to take action.
If you're waiting on the last reviewer and Default Behavior is "Remove Account" - The behavior in the Remove section begins.
If you're waiting on the last reviewer and Default Behavior is "End Workflow" - The workflow ends and no removal action is taken.
Default Behavior
If notifications to keep or remove access are ignored by reviewers, you can define what action Lumos should take.
Run Removal Steps
The removal process you've defined in the Remove section begins.
End Workflow
The workflow ends without taking any removal action. No further notifications are sent, and the notifications that were delivered are no longer actionable by reviewers.
Define the removal workflow
If someone states that they no longer need access, or your workflow is set to remove an account when the notifications are ignored, this is where you define how access should be removed.
Workflows can be made up of multiple steps, and the steps run in order.
To add a step, click the "+" button, choose the action, and click on the pencil icon to edit the action.
The options available to choose from here are dependent on the removal capabilities supported by the app. A brief description of some of the most common options is provided below.
Other removal actions become available if the app is integrated with Lumos. What these actions do in the downstream app is specific to each integration. Seeπ How-To: Connect an Integration
Un-Assign from App (Okta Only)
Lumos executes the workflow described here.
Remove User from Group
This removes the Account Owner from an IdP/email provider group. If we see that the Account Owner does not belong to the group, we'll do nothing. Lumos confirms their group membership with the service provider right before removing.
Add User to Group
This adds the Account Owner to an IdP/email provider group. If we see that the Account Owner already belongs to the group, we'll do nothing. Lumos confirms their group membership with the service provider right before adding.
Run Webhook
This runs a Deprovisioning webhook that you've configured, which should call a custom script or function to execute the desired removal or cleanup. Seeπ Deprovisioning Webhooks
Notify Account Owner
This lets the Account Owner know that the removal process is in progress/has finished. You can specify a custom message here letting them know what to expect next, which can be helpful in cases where access is removed without them knowing, or if you want to specify what capabilities they'll no longer have.
Saving and activating your workflow
Once you've configured your workflow, click Save Changes to save the settings.
To save and trigger the workflow immediately for all inactive accounts
Click ... next to Save Changes, then choose the Save & Trigger option to immediately send the workflow to all accounts in scope for your workflow.
This also activates the workflow to run every day moving forward. If you would like to disable the workflow right after you trigger it, read here:π Creating An Inactivity Workflow
Disabling right after you trigger the workflow will not cancel any active reviews in progress!
To activate the workflow for the next daily run, but not trigger immediately
If you want to activate the workflow, but have it run at the next scheduled time, click on the slider next to the workflow name and toggle it to the right. Seeπ Inactivity Workflow FAQs
Deactivating a workflow
If you want to deactivate a workflow, click on the slider next to the workflow name and toggle it to the left.
Deactivating the workflow does not cancel the notifications that have already been delivered! Account Owners or Workflow Reviewers that were sent notifications that have not passed the Ignore Threshold will still be able to act on those notifications.
Editing an existing workflow
You can edit an existing workflow by clicking on the workflow name, editing the settings, then saving it. Seeπ Creating An Inactivity Workflow
If you publish a new version of a workflow, any in-flight reviews where Account Owners or Workflow Reviewers have not made a decision, and the review has not passed the Ignore Threshold, will use the settings from the workflow that was active when it was originally triggered.