Articles on: Policy Management

Creating an offboarding policy

Policies within Patronum are extremely powerful and can be used to create workflows for onboarding and offboarding of users based on specific criteria such as new users, job title or even date.


To create an Offboarding Policy workflow follow these steps:


WORKFLOW


  1. From within the Policy section select the create (+) icon.


  1. Give the policy a name and description. These will be used in any email notifications or approvals.

Create Workflow Policy


  1. Start to define your policy be configuring the workflow Scope. From here you can define which users you want the policy to be applied to.

Policy Conditions

You can base your policy on all Users, by users in Organisation Unit, or by a Google Group. You can also exclude users based on a Google Group. For offboarding we typically see organisations moving their users to a specific Offboarding OU


  1. Further filtering via the Conditions section of your user cohort is possible, such as filtering on Last Sign In, End Date or Suspended

Policy Filters


  1. The last section (Actions) with the Workflow is used to define specific users within the workflow.

Executor - Used when a user is being offboarded. The executor is the account that Patronum will move data to, such as contacts, files or calendar items.

Approval - This user is required to approve the workflow before it is allowed to run. It can also be used to change the executor for each specific offboarding user.

Notify - This user will be notified that the policy has begun.


  1. Once the workflow elements have been completed and you have verified that you are happy, you can go on to define what the policy will do. NB. If a policy is affecting a large number of users additional approval is required before the policy is allowed to run.


PROFILE


  1. Within the PROFILE section you can update user attributes such as Job Title, Manager, Department, Cost Centre and many more Google and Custom defined attributes. Here you can also remove attributes or set and End Date.

Profile Deprovisioning options


Setting the End Date is only performed the once via a policy. You may manually clear the End Date if required.


GROUP


  1. Within the Group section you can automatically REMOVE users as part of your offboarding process. Select the smaller of the blue circles to open the deprovisioning options.


Offboarding Users from Google Groups


CALENDAR


  1. Transfer Google Workspace users Google Calendar to an Executor , Delete Events, and also remove user as an attendee

Offboarding Google Workspace calendars


CONTACTS


  1. Automatically transfer Google Contact Sharing to an Executor or remove ex-employee from users my contacts.

Deprovision Google Contacts


FILES


  1. Transfer ownership of files to an Executor from within the FILES policy or transfer files to a Google Shared Drive.

File deprovisioning options.


Transfer data from user My Drive and Looker Studio.


The options are:-


Destination - This option moves all files owned by the user to a designated User of Google Shared Drive. A path can be selected using the macros such as `{{fname}} {{lname}} Files`. To include an existing folder use the format /folder/folder/


Privacy level - Decide which files you want to transfer.


All Files - Transfers all files from the user

Unshared files only - Transfers only the unshared files of a user. Use this option if you want to transfer all none shared files.

Shared fils only - Transfers those files that have been shared with others.


When transferring data to a Share Drive, Patronum initially transfers data to a Shared Drive Manager user account. This Manager account is then used to move the data to the destination Shared Drive.


Google does not allow for the moving of folders to a Shared Drive, so Patronum automatically recreates the folders structure, and then moves the files. FileId's are remained, new FolderId's will be created.


Exclude transfer of files within a specific folder - This option allows the administrator to ignore a specific folder within the users Google Drive for privacy related concerns.


Notify user after transfer completion - This option is specifically useful when transferring data to a Shared Drive as it allows Patronum to communicate the data transfer process to managers or IT Teams.


Share With - This option shares the moved data with other in the organisation. Maybe you want to transfer data to a Shared Drive and give the manager access to the folder.


Manage File Sharing


Request access change for External files - This option will email the external owners of files that the user has access to informing them of the users departure, and requesting a transfer of access to an executor. For files that the user has Editor access to the executor is automatically given editor access.


Remove external file access - This option will automatically removes all external file access to the leavers files as part of deprovisioning the user.


Remove access to shared files - This option removes the users access to any internal files, folders and Shared Drives.


**File Share Report - **This option will generate a report of external file sharing.



SETTINGS


  1. Patronum supports a wealth of additional offboarding Google Workspace actions, from Vacation Responder, Delegated Access and Security. From within the SETTINGS section you have access to all of these settings.


Patronum Security Offboarding options.


LICENSES


  1. Remove specific licenses or allocate new ones. Patronum allows you to add Google Archive User licenses, or Cloud Identity Free licenses as part of your offboarding process.


ROLES


  1. Within the Roles section you can automatically REMOVE users from Google Admin Role.


BACKUP


  1. If you have integrated our backup solution with Patronum you can automatically initiate a backup as part of your offboarding process to make sure you have a full and complete backup of the users data.

This section can also be used to Archive users email to Cloud Storage.

Backup Policy Configuration


See Connecting Patronum backup to Patronum management platform and Connecting Google Cloud storage to Patronum for information on how to connect these external services to Patronum.


Backup

Backup - SLA - Configure the backup SLA for a specific user.


Backup now - Forces the Patronum Backup solution to backup the account immediately.


Vault export


Export emails from vault - Exports emails stored in Google Vault as an MBOX file and stores the file on a Google Shared Drive. Ideally for compliance and legal needs as the MOBX file contains the full email content, including all headers (routing info, timestamps, and IP addresses). This is crucial for proving when an email was sent and by whom.


Export to Shared drive - This is the name of the Google Shared Drive the MBOX files are stored.


Archive User's Email Config - Configure which Google Storage Bucket to export Gmail/Vault data to.


Archive User Email - Select if you want to archive a users email to the storage bucket when they leave the organisation.


SPACES


  1. Within the Spaces section you can automatically REMOVE users from all Google Chat Spaces as part of offboarding.

Updated on: 09/04/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!