Deprovisioning app users
Use Trelica to revoke users' access to apps and free up licenses.
Deprovisioning removes a user's access to an app. Depending on the app integration, you can deprovision a user by:
- Suspending the user. The user's account is no longer active so they cannot use the app, but they retain their license.
- Deactivating the user. The user's account is no longer active so they cannot use the app and their license is revoked.
- Deleting the user. The user's account is deleted from the app.
- Disassociating the user from the app via your IdP (such as Okta). This option is only available for apps that are managed by an IdP and which support deprovisioning via that IdP. The effect of disassociating a user via your IdP depends on the app, but will involve either suspending, deactivating or deleting the user account. For more information, refer to the integration guidance for specific apps.
- Deprovisioning the user. Revokes the user's access to the app in one of the above ways and performs other app-specific steps as required. For more information, refer to the specific guidance for the relevant app.
You can use Trelica to deprovision app users manually or via a workflow.
🧙🏾♂️ The deprovisioning options available depend on the app integration. If you have not set up an integration, you can change an app user's status or delete the user manually from the App Users list to reflect the current state of the app.
For apps with a suitable integration, you can deprovision users from the App Users page either individually or in bulk. Trelica then applies these changes to the relevant app automatically. This is useful for making ad hoc changes to app users.
To deprovision an app user with Trelica:
- 2.Open the Users tab. The app users are listed.
- 3.Click the context menu on a user row, or use the checkboxes to select multiple users.Deprovisioning options in the app user context menu.
- 4.The deprovisioning options available for the app are listed. Select the relevant option and add further details as required.
- 5.When you're ready, click the button to confirm that you want to suspend, deactivate or delete the user(s).The "Deactivate user" dialog.
You can configure workflows to deprovision users automatically. For example, you might set up a workflow that automatically deprovisions app users if they have not used an app in the last three months in order to free up the license or reduce costs.
With Trelica, you have the flexibility to configure workflows from scratch and choose from a range of triggers, or use a template to get started with some sensible defaults.
🧙🏿♂️ Workflows will not deprovision protected app users automatically. Instead, a Trelica admin user must confirm that the user should be deprovisioned.
To automate deprovisioning for users of a particular app, the simplest option is to use the "Deprovision application user via integration" template, which uses the "License not in use" workflow trigger.
With this trigger, you can configure different logic according to whether the app user has not used the app recently or has left your organization, or apply the same logic to both use cases. Select the app for which you want to configure deprovisioning and then specify the conditions that will trigger deprovisioning.
Options for the "License not in use" workflow trigger.
Add steps to the "Unengaged" and "Terminated" paths (or the unified path) as required. The deprovisioning steps available will vary depending on the app selected and the integration options that have been enabled for it. For more information, see Adding deprovisioning steps below.
To deprovision individuals from several apps via a single workflow, the simplest option is to create a new workflow from scratch and select the "Person leaves" trigger.
Specify the type of person to which the workflow applies (e.g. employee or contractor). If required, select a team to limit the workflow to members of a particular team.
Options for the "Person leaves" workflow trigger.
Add steps to the workflow to revoke the person's access to apps and notify line managers or IT staff as required. The mechanism used for deprovisioning depends on the app; add one workflow step for each app to which you want to revoke access. For more information, see Adding deprovisioning steps below.
Deprovisioning an app user can be achieved in several ways, depending on the app, the integration options, and whether app users are managed via an identity provider (such as Okta). The following workflow steps may be available:
- Suspend app user
- Deactivate app user
- Delete app user
- Disassociate user from app via [identity provider]
- Deprovision app user - Note that this option will be deprecated in future and should only be used if other deprovisioning options are not available.
🧙♂️ For advice on the best way to configure deprovisioning for your organization, contact Trelica Support & Customer Success.
If the app is specified in the workflow trigger, only supported deprovisioning options are listed in the Add step dialog. Under Integration actions, select the app to filter the list to steps that make use of the app integration.
Adding workflow steps, filtered by the app integration.
If the workflow trigger does not identify the app (for example, when using the "Person leaves" trigger), all deprovisioning options are listed in the Add step dialog. Add a step and then select from the list of apps that support that step. Add a new step for each app that you want to deprovision.
If you're setting up a workflow to deprovision users for multiple apps (such as an offboarding workflow), you may need to add multiple types of step (such as "Deactivate app user" and "Delete app user"), each dealing with a different app.
Offboarding workflow with multiple deprovisioning steps.