Skip to main content
Sign in

Deprovision - Google Workspace package

  • January 04, 2024 09:19
  • Updated

Offboarding is integral to every company’s business strategy to ensure secure separation from an employee.  One of the main focuses of offboarding is eliminating any vulnerabilities, including access to critical systems, or information, that may occur when an employee leaves the company. 

The offboarding packages are individually packaged by software systems designed for the customer to select which ones are relevant to their organization.  This allows the customer to build their own offboarding process by sequencing the workflows that best fit their business needs.

Each package will contain the following:

Offboarding packages are intended to be pieced together in the order that is best to achieve the business goal of a successful offboarding.  Along with removing access for the departed user from each system, the workflows will track the offboarding process through a support ticket to ensure that all steps are completed successfully.

Please see below for specific information regarding the post-migration steps to get the offboarding workflow to run as expected.

Contents

  1. Offboarding - Google Workspace Package
  2. Package contents
  3. Migrating the package from development to production
  4. Configuring the package

Offboarding - Google Workspace Package

The Deprovision - Google Workspace package contains a workflow that offboards a Google Workspace user and also tracks the status of the offboarding through a Jira ticket. 

Applying the package

To apply the package, complete the following steps:

  1. Click Configuration > Store.
  2. Locate the package and click Apply.
  3. Click Yes to apply the package.

Result: 
The package is added to the list in Configuration > Migrations > Packages

Package contents

The Deprovision - Google Workspace package contains the following items:

Data Model fields

Offboarding Ticket. A field used in the Jira Create Issue block that stores the Jira Ticket ID. The Jira Ticket ID is needed in subsequent workflows to update the Jira ticket with the progress of the offboarding.

Offboarding Sequence. A field used in the Update Sequence block that stores the sequence number. The sequence number will increment by 1 after the [OFFBOARDING] Jira - Create Ticket workflow is run, thereby triggering the next workflow in the sequence. 

Credentials

  • Google User Load
  • Oomnitza API Key
  • Jira Ticketing

Global setting

  • Oomnitza.Subdomain
  • JIRA.Subdomain

Saved search

  • Offboarding: Google Users
  • Offboarding: Google User Next 30 Days

Workflow

  • [Offboarding] Google - Deprovision: The[Offboarding] Google - Deprovision] workflow offboards the user and updates the progress of the offboarding in Jira.

Migrating the package from development to production

If you have a development and production instance, you can migrate the package contents to your production instance by following the steps below. However, if you have a stand-alone instance or prefer to test the package in your development environment before deploying it to production, proceed to Configuring the package.

To migrate your package from development to production, complete the steps below. 

  • Submit a request to Oomnitza Support to enable the migration from the development instance
  • Ensure that the development and the production instances are identical
  • Create an API key for the migration in your production instance
  • Add the production instance and the credential name as global settings in the development instance
  • Ensure that the development and production instances have the same version
  • Disable configuration changes in the production  instance

Refer to Planning the migration for detailed steps.

Performing the migration

To perform the migration from development to production, complete the following steps:

  1. In the development instance, click Configuration > Migrations > Migrate.
  2. Click PERFORM MIGRATION.
  3. As migration type, select Package.
  4. Select the package.
  5. Click NEXT and then click MIGRATE.

Tip
If your migration fails due to missing package contents, such as a data model field or saved search, migrate the object as a standalone object and then attempt the migration again. 

Configuring the package

Find your package in Configuration > Migrations > Packages and click View in the Migrations page to update the following details:

Credentials 

The shell of the credentials that you created on the source instance is migrated. Click View in the migration package and update the following credentials:

Google User Load

Update the credentials that you created for Google by updating your credentials in the Authorization tab. For further information, refer to the Adding Google OAuth 2.0 credentials

Ensure that you have the following space-separated list of scopes to run the workflows:  https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.user.security https://www.googleapis.com/auth/gmail.settings.sharing

Oomnitza API Key

Update your Oomnitza API key by entering your API token in the Authorization tab.  You can obtain your API key in the Configuration > Security > API tokens page. For further information see Creating an API token. 

Global Setting

To update your global settings

  1. Navigate to  Configuration > General > Global Settings
  2. Select Ooomnitza.Subdomain from the list and enter your subdomain as the value.
  3. Select JIRA.Subdomain from the list and enter your subdomain as the value.

Workflow

To locate your workflow, navigate to Configuration > Workflows and select the [OFFBOARDING] Google - Deprovision workflow from the list.

Review the workflow

Click the pencil icon and review the following workflow blocks:

Begin Google Deprovision Process block

The workflow will run when the following criteria are met:

  • The Offboarding sequence is set to 1. This indicates that the Google workflow will be triggered directly after the Jira workflow is run. You can change the order of the workflows according to your preferences. For example, you may wish to prioritize Okta over Google. In that case, you can set the Google workflow to an offboarding sequence of 3, and Okta to 2. Make sure there are no gaps in your sequence, such as 1, 3, 4, 5, as this will mean the workflow will stop after 1.
  • The Employee Type is set to Employee
  • The Status equals Offboarding
  • The Offboarding Ticket is not empty. This field is populated after your run the [OFFBOARDING] Jira - Create Ticket workflow

Important
If all of these criteria are not met, the workflow will fail to trigger.

JIRA Add Comment to Issue

The JIRA Add Comment to Issue block updates the Jira ticket with the status of the de-provisioning. The Jira ticket is created as part of the [OFFBOARDING] Jira - Create Ticket workflow. 

Google workflows

The Google workflows completes the following actions, using the user's email address:

  • Google Workspace: Reset Password for User: Resets the user's password
  • Google Workspace: Sign Out User: Signs a user out of all web and device sessions and resets their sign-in cookies.
  • Google Workspace: Enable email forwarding for user: Enables email forwarding for a user.

    You need to supply the forwarding email and disposition to use this preset. The disposition is the state that a message is left in after it has been forwarded, for examplearchive,trash,leaveInInbox. For further information on these values, see Google API documentation: feedbackAutoForwarding.

  • Google Workspace: Suspend User: Suspends a user. 
  • Google Workspace: Delete User: Deletes a user.

Notify block

Edit the Notify block, and supply recipient information in the Recipients tab. That way an individual or group will receive an email in the event of a workflow error.

Using the Notify block

Update sequence

The Oomnitza update sequence block increments the Offboarding sequence field by 1. 

Wait block

The wait block pauses the workflow for a period of 5 days, then 7 days before deleting the user completely. 

Result

As soon as the criteria in the Begin Google Deprovision Process block are met, the Google user moves from being logged out of their account, to being permanently deleted. The Jira ticket has been updated with the status of the offboarding. Finally, the sequence has increased by 1 triggering the next workflow.

Related articles

Comments

0 comments

Please sign in to leave a comment.