For IT teams, there are many steps to consider when offboarding an employee and decommissioning their Google account. This article unpacks some of the options - and nuances - related to this process. Most importantly, we look at how Trelica’s SaaS management platform automates the whole Google Workspace offboarding process for greater efficiency, reliability and security compliance.

Why effective Google Workspace offboarding is mission critical

Over 9 million(!) organizations use Google Workspace - some in isolation, others in parallel with a primary IdP such as Okta. It gives employees and contractors access to core IT services, including email, calendars and file storage / sharing. What’s more, whether it’s using SAML SSO or OAuth (“Sign in with Google”), Google Workspace also gives employees a single point of access to additional Google and third-party apps they need to work productively.

But what happens when someone leaves? Can you be sure that their access rights are revoked to protect your key systems and data? Can you demonstrate compliance with data protection regulations? And – equally importantly – can you ensure that line managers and other colleagues can continue to access leavers’ data to ensure continuity for projects, sales conversations and more? With Trelica, you can optimize and automate Google Workspace offboarding to achieve all of these benefits and to minimize manual administration and costs.

The benefits of effective Google Workspace offboarding: ‘the three Cs’

While the primary motive for effective and timely offboarding from Google Workspace may be security for many organizations, getting this activity right provides three key benefits – all conveniently beginning with C.

1) Cost savings and license optimization

Offboarding leavers quickly and reliably means that Google Workspace licenses can be reallocated to other team members, or retired from the estate if appropriate, ensuring that resources are used effectively or delivering savings back to the business.

2) Compliance with data security regulations

Companies that can offboard leavers from Google Workspace quickly and reliably, and create a clear audit trail for this activity, are able to mitigate access risks and demonstrate compliance for SOC2 and ISO27001. That means greater peace of mind for the business and streamlined external audits (think less trawling through emails and Slack messages and more showing the auditor a clear top-to-bottom audit log in a single place).

In the words of Oleg Lukechev, VP of IT at ElectroNeek

“…the SOC 2 auditing process is much faster, easier, and less stressful for everyone involved.”

(you can read the full case study here)

Trelica Google Workspace Offboarding Workflow Run View

3) Continuity for key communications and data

The right offboarding strategy and approach ensures that a leavers’ communications and data assets can be retained for an appropriate length of time and passed on to colleagues who can use it to complete projects, further sales conversations or otherwise improve business outcomes.

What Google has to say about Workspace offboarding

In its 7-step quick guide, Google provides clear and complete instructions on how to offboard users from Workspace to Maintain data security after an employee leaves. The recommendations span everything from wiping company owned laptops or mobile devices and changing the users’ password and revoking their password recovery access, to revoking OAuth tokens, security keys and app password access that may allow leavers to access other applications and data via Google Workspace.

The seventh step in Google’s guidelines relate to our third ‘C’: Continuity for key communications and data. The advice is that administrators should “move any of the users’ data that you want to save to another account” before deleting their account altogether. While this step is clearly crucial for preserving continuity and ensuring that any valuable information or contacts are retained, it is also a potentially complex and manual process, requiring significant time and effort from the IT team.

Trelica’s end-to-end offboarding support

At Trelica, we fully understand the need to offboard leavers from Google Workspace quickly, efficiently and reliably – and to ensure that critical resources can be retained by colleagues for as long as necessary to ensure the best business outcomes.

To support teams through the process, we have built a number of workflow actions that cover all of Google’s key offboarding recommendations, bar wiping company owned laptops or mobile devices, which is usually dealt with using specialist Mobile Device Management (MDM) products (but the good news is that we also integrate with MDMs and support ‘device actions’ in our workflows).

Starting the offboarding process

Trelica workflows can be triggered manually, on-demand. That might be a good fit for smaller teams where offboarding is typically low volume and you generally get a timely notification from the HR team when someone leaves.

For larger organizations, we make it possible to trigger offboarding workflows automatically - which is our suggested, best-practice approach (). This minimizes the chance that offboarding is delayed, or missed entirely, when someone leaves. There are a number of options when it comes to triggering the offboarding workflows. 

  1. Employee leaving date - if this is being populated in your IdP, Trelica will read this information. Alternatively, we can sync directly with popular HR platforms (such as BambooHR or HiBob). The offboarding workflow can then be triggered automatically, relative to the employee’s leaving date (even accounting for the local time for the departing employee).
  2. Status in a “lifecycle provider” - where a clear leaving date isn’t available, a fallback is to rely on a user’s status in a nominated system (i.e., a “lifecycle provider”) to determine when an employee has left the organization and, therefore, when offboarding should commence. This approach is best suited to those running a primary IdP in addition to Google Workspace - a common pairing being Okta and Google. It would obviously become circular if Google Workspace was your sole lifecycle provider, as you would be looking for a user's deactivated status in Google Workspace to trigger a workflow that will ultimately deactivate the user's account in Google Workspace!
  3. API Webhook - if the offboarding process starts in another system, you can tie this into your Trelica workflow by using a webhook to automatically trigger workflow runs. Good examples would be triggering from a Jira automation, or to initiate the workflow based on an Okta Event Hook when an account status changes.

Compliance: securing the account

We’ve seen many variations on Google Workspace offboarding workflows, but a common theme - and something we strongly recommend - is to start the process with two actions that group several important steps together. One example of this is Clear user settings, which relates to ‘housekeeping’ i.e. removing the leaver from the global address list and all user groups and (optionally), removing all of their aliases as well. Up next is the Revoke access action, which signs the user out from their Google account; resets their password to a random string; revokes their OAuth tokens to prevent single-sign-on to other apps; and revokes any app-specific passwords.

Together, these actions ensure that leavers can no longer access their business emails, calendars or files, and that they can’t log into any apps or systems that use Google Workspace for authentication.

As Rusty Searle, Senior Director of Business Engagement at Elastic notes

“you can’t put a price on security compliance and peace of mind, and that’s what Trelica’s automations give us.”

(check out the full Elastic case study here

Continuity: transferring resources and emails

Every business has unique requirements when it comes to retaining leavers’ valuable contacts, emails, files and other data – which is where our third set of workflow actions comes in. 

Email inbox - here, we are specifically focused on the leaver’s existing inbox. This is distinct from managing the forwarding of future emails, which is covered below. There are a few options when it comes to meeting this need, each with corresponding Trelica workflow actions:

  • Assign a Google Workspace Archive License to the account - this assumes you’re paying for archive licenses and means all account data (including emails) are retained
  • Grant Delegated Access to another user (e.g. a line manager) - this can be used to give someone temporary access to a leaver’s inbox, enabling them to review and extract any emails they wish to. However, when used in isolation, this technique means that any emails that are not extracted and saved during the defined period of operation will ultimately be lost.
  • Export the inbox - this produces a mail file that can be placed in a specified drive folder for future reference

Email forwarding - here, we are talking specifically about future emails sent to the leaver. There’s a fair amount of nuance here, but here’s a quick summary of some popular options (with workflow actions to support the first three):

  • Set a forwarding rule on the account - which requires the account to be active and which is therefore a temporary measure
  • Alias the leaver’s address to another user (perhaps their line manager) or a Group - this can get quite confusing over the long-term if you’re using a SaaS management tool to identify user accounts in many apps based on email addresses
  • “Convert” the user into a Group - this allows you to forward emails from the Group, without the need to keep the account active and licensed
  • Set a routing rule - this isn’t supported by the Google API so, unlike the other options above, there’s no workflow action to cover this one and it would require a manual intervention

Files and Calendar Events - this tends to be the more straightforward step. A common approach is to transfer all such ‘resources’ to the employee’s line manager. If there’s no reliable source of line manager for Trelica to read (either in Google Workspace or an HR system) you can use a nominated ‘fallback’ account.

Cost saving: removing licenses

This is the least complicated part of the process. As long as resources have been transferred and emails are being forwarded (and/or archived) in a timely way, you can remove the leaver's Google Workspace license right away and reallocate it to someone else.

Conclusion

In conclusion, effective Google Workspace offboarding is crucial for organizations to maintain security, compliance, and business continuity. Trelica's SaaS management platform offers an efficient and automated solution to streamline this process, providing several key benefits, often referred to as 'the three Cs': cost savings and license optimization, compliance with data security regulations, and continuity for key communications and data.

Finally, Trelica's user-friendly approach to managing Google Workspace offboarding offers a customizable solution for organizations of all sizes. Whether triggered manually or automatically, Trelica's workflows are designed to streamline the process, allowing IT teams to efficiently and reliably offboard employees while minimizing manual administration.

To experience the benefits of Trelica's Google Workspace offboarding automation firsthand, we invite you to start a free trial and explore the possibilities of optimizing your offboarding workflows. Feel free to get in touch with our team if you have any questions or require further assistance in configuring your offboarding process.