Creating an offboarding policy
Policies within Patronum are extremely powerful and can be used to create workflows for onboarding and offboarding of users based on specific criteria such as new users, job title or even date.
To create an Offboarding Policy workflow follow these steps:
WORKFLOW
From within the Policy section select the create (+) icon.
Give the policy a name and description. These will be used in any email notifications or approvals.
Start to define your policy be configuring the workflow conditions. From here you can define which users you want the policy to be applied to.
You can base your policy on all Users, by users in Organisation Unit, or by a Google Group. You can also exclude users based on a Google Group. For offboarding we typically see organisations moving their users to a specific Offboarding OU
Further filtering of your user cohort is possible, such as filtering on Last Sign In, End Date or Suspended
The last section (Actions) with the Workflow is used to define specific users within the workflow.
Executor - Used when a user is being offboarded. The executor is the account that Patronum will move data to, such as contacts, files or calendar items.
Approval - This user is required to approve the workflow before it is allowed to run. It can also be used to change the executor for each specific offboarding user.
Notify - This user will be notified that the policy has begun.
Once the workflow elements have been completed and you have verified that you are happy, you can go on to define what the policy will do. NB. If a policy is affecting a large number of users additional approval is required before the policy is allowed to run.
PROFILE
Within the PROFILE section you can update user attributes such as Job Title, Manager, Department, Cost Centre and many more Google and Custom defined attributes.
GROUP
Within the Group section you can automatically REMOVE users to specific Google Groups as well as remove them for offboarding. Select the smaller of the yellow circles to open the deprovisioning options.
CALENDAR
Transfer Google Workspace users Google Calendar to an Executor , Delete Events, and also remove user as an attendee
CONTACTS
Automatically transfer Google Contact Sharing to an Executor or remove ex-employee from users my contacts.
FILES
Transfer ownership of files to an Executor from within the FILES policy or transfer files to a Google Shared Drive.
The options are:-
Privacy level - Decide which files you want to transfer.
All Files - Transfers all files from the user
Unshared files only - Transfers only the unshared files of a user. Use this option if you want to transfer all none shared files.
Shared fils only - Transfers those files that have been shared with others.
Transfer all files to Shared Drive - This option moves all files owned by the user to a designated Shared Drive. A path can be selected using the macros such as {{fname}} {{lname}} Files. To include an existing folder use the format /folder/folder/
Transfer ownership of all files to executor - This option changes the ownership of all files to that of the executor user within the policy, and moves the files into the executors My Drive within the defined path.
Request access change for External files - This option will email the external owners of files that the user has access to informing them of the users departure, and requesting a transfer of access to an executor. For files that the user has Editor access to the executor is automatically given editor access.
Remove external file access - This option will automatically removes all external file access to the leavers files as part of deprovisioning the user.
Remove access to shared files - This option removes the users access to any internal files, folders and Shared Drives.
Exclude transfer of files within a specific folder - This option allows the administrator to ignore a specific folder within the users Google Drive for privacy related concerns.
Looker Studio - This option allows for the transferring of Looker Studio data to the executor.
Notification - Allows the administrator to send an email to a specific user once the transfer of file data has been completed.
SETTINGS
Patronum supports a wealth of additional offboarding Google Workspace actions, from Vacation Responder, Delegated Access and Security. From within the SETTINGS section you have access to all of these settings.
To create an Offboarding Policy workflow follow these steps:
WORKFLOW
From within the Policy section select the create (+) icon.
Give the policy a name and description. These will be used in any email notifications or approvals.
Start to define your policy be configuring the workflow conditions. From here you can define which users you want the policy to be applied to.
You can base your policy on all Users, by users in Organisation Unit, or by a Google Group. You can also exclude users based on a Google Group. For offboarding we typically see organisations moving their users to a specific Offboarding OU
Further filtering of your user cohort is possible, such as filtering on Last Sign In, End Date or Suspended
The last section (Actions) with the Workflow is used to define specific users within the workflow.
Executor - Used when a user is being offboarded. The executor is the account that Patronum will move data to, such as contacts, files or calendar items.
Approval - This user is required to approve the workflow before it is allowed to run. It can also be used to change the executor for each specific offboarding user.
Notify - This user will be notified that the policy has begun.
Once the workflow elements have been completed and you have verified that you are happy, you can go on to define what the policy will do. NB. If a policy is affecting a large number of users additional approval is required before the policy is allowed to run.
PROFILE
Within the PROFILE section you can update user attributes such as Job Title, Manager, Department, Cost Centre and many more Google and Custom defined attributes.
GROUP
Within the Group section you can automatically REMOVE users to specific Google Groups as well as remove them for offboarding. Select the smaller of the yellow circles to open the deprovisioning options.
CALENDAR
Transfer Google Workspace users Google Calendar to an Executor , Delete Events, and also remove user as an attendee
CONTACTS
Automatically transfer Google Contact Sharing to an Executor or remove ex-employee from users my contacts.
FILES
Transfer ownership of files to an Executor from within the FILES policy or transfer files to a Google Shared Drive.
The options are:-
Privacy level - Decide which files you want to transfer.
All Files - Transfers all files from the user
Unshared files only - Transfers only the unshared files of a user. Use this option if you want to transfer all none shared files.
Shared fils only - Transfers those files that have been shared with others.
Transfer all files to Shared Drive - This option moves all files owned by the user to a designated Shared Drive. A path can be selected using the macros such as {{fname}} {{lname}} Files. To include an existing folder use the format /folder/folder/
Transfer ownership of all files to executor - This option changes the ownership of all files to that of the executor user within the policy, and moves the files into the executors My Drive within the defined path.
Request access change for External files - This option will email the external owners of files that the user has access to informing them of the users departure, and requesting a transfer of access to an executor. For files that the user has Editor access to the executor is automatically given editor access.
Remove external file access - This option will automatically removes all external file access to the leavers files as part of deprovisioning the user.
Remove access to shared files - This option removes the users access to any internal files, folders and Shared Drives.
Exclude transfer of files within a specific folder - This option allows the administrator to ignore a specific folder within the users Google Drive for privacy related concerns.
Looker Studio - This option allows for the transferring of Looker Studio data to the executor.
Notification - Allows the administrator to send an email to a specific user once the transfer of file data has been completed.
SETTINGS
Patronum supports a wealth of additional offboarding Google Workspace actions, from Vacation Responder, Delegated Access and Security. From within the SETTINGS section you have access to all of these settings.
Updated on: 28/03/2024
Thank you!