title: Leaver Templates - Offboarding Automation category: Lifecycle Management tags: leaver, offboarding, termination, automation, templates priority: Normal
Leaver Templates - Offboarding Automation
Leaver templates automate the deprovisioning workflow that executes when an employee, contractor, or vendor departs the organization. Timely offboarding is one of the most critical security operations in identity management -- every hour an account remains active after departure represents a potential unauthorized access window.
The Cost of Manual Offboarding
Industry research consistently shows that manual offboarding processes leave accounts active for days or weeks after departure:
| Metric | Manual Process | Automated (Leaver Template) |
|---|---|---|
| Average time to disable account | 3-7 business days | Immediate or same day |
| Group memberships removed | Often incomplete | 100% removal guaranteed |
| Email forwarding configured | Frequently forgotten | Automatic |
| Data backup completed | Inconsistent | Policy-enforced |
| Audit trail quality | Sparse, manual notes | Complete, timestamped log |
Creating a Leaver Template
Navigate to Administration > Lifecycle Management (/admin/lifecycle) and select New Template. Choose Leaver as the template type.
Step 1: Template Details
| Field | Description | Example |
|---|---|---|
| Name | Descriptive template name | "Standard Employee Offboarding" |
| Description | Scope and purpose | "Disables account, removes groups, forwards email" |
| Priority | Execution priority | High |
| Enabled | Whether the template is active | Yes |
Step 2: Trigger Configuration
| Trigger Type | Configuration | Best For |
|---|---|---|
| Manual | Administrator initiates from the UI | Immediate terminations |
| HR Feed | Fires when HR import provides a termination date | Planned departures |
| Schedule | Nightly check for accounts past termination date | Batch processing |
HR Feed trigger: When the HR system populates a TerminationDate field and that date is today or in the past, the Leaver template fires automatically.
Scheduled trigger: A nightly job evaluates all identities for termination criteria (e.g., contract end date passed, termination date reached) and processes any matches.
Step 3: Target Criteria
| Criterion | Description | Example |
|---|---|---|
| Employee Type | Which identity types this template covers | Full-time, part-time |
| Department | Specific departments (if department-specific handling) | All |
| Termination Reason | Resignation, termination, retirement, contract end | All |
Step 4: Define Actions
DisableAccount
Immediately disables the Active Directory account to prevent authentication:
| Parameter | Description | Example |
|---|---|---|
| Target Connection | Which AD connection contains the account | "Corporate AD" |
| Disable Method | How the account is disabled | Set userAccountControl DISABLED flag |
| Reset Password | Randomize the password upon disable | Yes (recommended) |
| Clear Logon Sessions | Force existing sessions to terminate | Yes |
Tip: Always disable the account as the first action. This ensures access is revoked immediately, even if subsequent actions fail.
RemoveGroups
Removes the identity from all group memberships:
| Parameter | Description | Example |
|---|---|---|
| Removal Scope | Which groups to remove | All groups |
| Exclusion List | Groups to preserve (rare) | None for leavers |
| Log Memberships | Record all removed memberships for audit | Yes |
Important: The removed group list is preserved in the lifecycle event record for audit purposes. This allows you to demonstrate exactly what access was revoked and when.
RevokeAccess
Removes all application-level and resource access entitlements:
| Parameter | Description | Example |
|---|---|---|
| Scope | What access to revoke | All connected applications |
| Include Delegations | Remove delegated permissions | Yes |
| Revoke OAuth Tokens | Invalidate active OAuth/SSO sessions | Yes |
ForwardEmail
Configures email forwarding to ensure business continuity:
| Parameter | Description | Example |
|---|---|---|
| Forward To | Recipient of forwarded email | Manager, specified delegate |
| Duration | How long forwarding remains active | 30 days, 60 days, 90 days |
| Auto-Reply | Set an out-of-office message | "This employee is no longer with the organization" |
| Expiration Action | What happens when forwarding expires | Disable forwarding, disable mailbox |
BackupData
Archives the departing employee's data before account removal:
| Parameter | Description | Example |
|---|---|---|
| Backup Scope | What data to archive | Mailbox, home directory, profile |
| Destination | Where to store the backup | Network share, archive storage |
| Retention Period | How long to keep the backup | 1 year, 7 years (regulatory) |
| Notify | Who to inform when backup completes | Manager, HR, Legal |
MoveOU
Moves the disabled account to a designated OU for departed employees:
| Parameter | Description | Example |
|---|---|---|
| Target OU | Destination for disabled accounts | OU=Disabled,OU=Users,DC=corp,DC=local |
| Rename Account | Prefix or suffix the account name | Prefix with "DISABLED_" |
SendEmail
Notifies relevant parties that offboarding is complete:
| Parameter | Description | Example |
|---|---|---|
| Email Template | Notification template | "Offboarding Complete" |
| Recipients | Who to notify | Manager, HR, IT helpdesk, security |
| Include Summary | Attach a summary of actions taken | Yes |
Offboarding Timing
Immediate Offboarding
All actions execute as soon as the template is triggered. Used for:
- Involuntary terminations
- Security incidents
- Emergency departures
Configuration: Set the template trigger to Manual and execute it immediately when HR or management initiates the departure.
Scheduled Offboarding
Actions execute on a specific future date (typically the employee's last day). Used for:
- Planned resignations
- Retirements
- Contract expirations
Configuration: The HR Feed provides a TerminationDate. IdentityCenter creates a pending lifecycle event that executes on that date.
| Phase | Timing | Actions |
|---|---|---|
| Pre-departure | 7 days before | Notify manager, begin data backup |
| Last day | End of business | Disable account, remove groups |
| Post-departure | Next morning | Configure email forwarding, move OU |
| Cleanup | 30/60/90 days later | Remove forwarding, archive account |
Grace Period Configuration
Some organizations require a grace period before full deprovisioning:
| Setting | Description | Example |
|---|---|---|
| Grace Period Duration | Days between disable and full removal | 30 days |
| Grace Period Actions | What happens during grace period | Account disabled, groups removed, email forwarded |
| Post-Grace Actions | What happens after grace period | Delete account, remove forwarding |
| Grace Period Override | Allow admin to skip grace period | Yes (for emergency) |
Emergency Termination
For situations requiring immediate and complete access revocation:
- Navigate to the identity in IdentityCenter
- Select Emergency Offboard from the actions menu
- Confirm the action
The emergency offboard process:
- Immediately disables the account and randomizes the password
- Removes all group memberships
- Revokes all application access and OAuth tokens
- Forces termination of active sessions
- Sends emergency notification to security team and management
- Logs the event with the administrator who initiated it
Tip: Configure a dedicated "Emergency Termination" Leaver template with the highest priority and all security-critical actions enabled.
Example: Standard Leaver Template
Template: Standard Employee Offboarding
Trigger: HR Feed (termination date reached)
Criteria: EmployeeType = "Full-Time" or "Part-Time"
Actions:
1. DisableAccount
- Reset password: Yes
- Clear sessions: Yes
2. RemoveGroups
- Scope: All groups
- Log memberships: Yes
3. RevokeAccess
- Scope: All connected applications
- Revoke OAuth tokens: Yes
4. ForwardEmail
- Forward to: Manager
- Duration: 30 days
- Auto-reply: Enabled
5. BackupData
- Scope: Mailbox, home directory
- Retention: 1 year
- Notify: Manager, HR
6. MoveOU
- Target: OU=Disabled,OU=Users,DC=corp,DC=local
7. SendEmail
- Template: "Offboarding Complete"
- To: Manager, HR, IT Helpdesk
- Include summary: Yes
Integration with HR Systems
Leaver templates are most effective when driven by HR data:
- HR system records a termination date for the employee
- HR Import brings the termination date into IdentityCenter (see CSV Import or REST API Import)
- Lifecycle engine evaluates the date against Leaver template criteria
- Template executes on the termination date, performing all configured actions
- Audit record is created for compliance reporting
Best Practices
- Disable first, clean up second -- always make DisableAccount the first action
- Randomize the password upon disable to prevent reactivation with known credentials
- Log all removed group memberships for audit and potential rollback
- Configure email forwarding to maintain business continuity
- Back up data before removal -- some data cannot be recovered after account deletion
- Use grace periods for planned departures to allow for data transfer
- Test emergency offboarding periodically to ensure it works under pressure
- Never delete accounts immediately -- disable and archive first, then delete after retention period
Next Steps
- Lifecycle Events -- Monitor offboarding execution and audit trail
- Joiner Templates -- Onboarding automation
- Mover Templates -- Transfer automation
- HR Integration Overview -- Connect HR for termination date triggers
- Policies Overview -- Define retention and offboarding policies