Offboarding

AuthUser Expiration

If an AuthUser should have all access removed on a specified day and time (ex. termination or resignation), the expires_at value should be set in the AuthUser model. This value can be automatically updated using an AuthProviderField which maps the field from Okta which inherits data from the HRIS.

A background job checks if the AuthUser expires_at value has been set (not null) and if the value is in the past (ex. 1 minute after), then the background job will loop through all approvable relationships and set the expires_at value with now() so that deprovisioning will start 1 minute later for all of the relationships. The background job interval can be configured to run every minute, however this may be changed to a longer period of time (ex. every 10 minutes, every hour, every 6 hours, or every day) during performance tuning after Access Manager is implemented.

Configure Okta Automation with Auth Provider Fields

To automate deprovisioning, you need to configure the Okta and HRIS integration to have a custom date or string field for each Okta user that has the date value for the last day of access. This field may already exist. In the Okta Manager Access Manager application configuration, you will need to ensure that the profile metadata includes the custom date field that is provided to the Access Manager application.

In Access Manager, you need to create an AuthProviderField with the provider_key set to the name of the custom date column, and the user_column to expires_at. The Okta user profile is updated every time the user signs in, or during the hourly background job sync.

See the AuthUser Expiration documentation to learn more about how the background jobs for deprovisioning work.

Job Role Changes

If the user is changing to a new role and is not leaving the company, see the job role change documentation to see how to deprovision access to job role entitlement SaaS Providers while retaining access to Baseline Entitlements SaaS Providers.