Skip to main content
Blog

Employee offboarding: Google Workspace

By April 13, 2023February 6th, 2024No Comments5 min read

“Please come into my office,” the boss said. “Sit down. I have some bad news…”

Getting fired is rough. So is getting laid off. RiFfed. Downscaled. Downsized…

Giving someone the news is also rough–but not as rough as getting it. The people reading this blog are more likely to be givers of that kind of news than getters. And, in particular, are likely to be responsible for the digital side of the process.

Seems like it should be easy. Your employee is no longer a part of your organization, and whoever is the unexpected admin just needs to go to the admin console and delete their account, which controls their corporate identity and access. You know, Google, GitHub, AWS, Intercom, HubSpot, Figma, Zoom, Slack, Datadog, PagerDuty, Notion, Zendesk, and on, and on.

Now, all you have to do is press one button… I mean, go app by app and press one button… I mean, go app by app, and in each app follow the process you created just for this time… Just as soon as you find out who the heck is the admin for half of those.

Once you figure that out, just go to the app, like Google Workspace, and click one button to delete the account… I mean, press a few buttons to first route all new emails going to that email address to someone else like the manager, and then another button (or two or three) to transfer ownership of the Google Drive files to the poor soul who might be running low on storage. Oh, and don’t forget – if things were bad, you need a few more buttons to keep the emails aside for a while.

GitHub is easy, too: Remove the user from the organization (which will automatically remove them from all teams and revoke access to private repositories). Update and secure any access tokens, deploy keys or secrets the user had access to, and monitor for unauthorized activities.

Now, as for Slack, Zoom, Notion – What? Ok, okay! It’s a blog, not a book. Sheesh.

By the way, if you gave someone access to email, you should know it may be considered personal information, and the employee can demand proof of deletion in some, well, many cases.

You’re here to save time, not get scared of how all your problems are because you didn’t buy some vendor’s software. We have a business to run! So, bottom line: there are a metric ton of regulations – GDPR, SOC2, ISO27001, GDPR, CCPA, LGPD, PDPB, SLSA. It might seem too much but at the end of the day, we both care about privacy.

TL;DR? Here’s a 63-second clip of what happened to a CEO who delegated too much: A weird administrator of the dungeon.

Ok, back on topic: Sad day. You need to let someone go, and you want the digital process to be as smooth as the human process. Just make sure you log everything in one place, keep it up to date, don’t overshare it as it might be sensitive data, but also don’t be the bottleneck, and adjust it for every SaaS app you use. Here’s a checklist – GOOD LUCK!

  1. User Verification and Logging
    1. Log the termination type (voluntary or involuntary).
  2. Account and Token Management
    1. Reset the user’s password to a randomly generated password.
    2. Remove all app-specific account passwords, delete MFA recovery codes, and delete all security keys and OAuth tokens. Generate a new set of MFA recovery codes for the user.
    3. Remove all email delegations.
  3. Email and Directory Settings
    1. Remove all forwarding addresses, disable IMAP, disable POP, and hide the user from the directory.
  4. Group Management
    1. Remove the user from all groups they belong to.
  5. Data Transfer and Retention – If suspend is selected.
    1. Transfer Google Drive and Documents ownership to the employee’s manager.
    2. (Business and higher editions) Use Google Vault to set a retention policy or hold on the user’s data (emails, chats, Drive files) for compliance, legal, or other purposes.
  6. Account Suspension and Organization Management
    1. Suspend or Delete the user’s account. If the termination type is involuntary, grant email delegation access to the employee’s manager and move the user to the ‘Involuntary Terminations’ OU. If the termination type is voluntary, move the user to the ‘Voluntary Terminations’ OU.
  7. Device Management
    1. (If using an MDM) Wipe device profiles and remove Google accounts from all mobile devices associated with the user using an MDM solution.
  8. Third-Party Integrations
    1. Deprovision the user in any third party app (Slack, Github, Zoom, etc.)

If you don’t have all that centralized, documented, (automated?🤫) and up-to-date – you are not alone. Let me tell you a secret: we didn’t have that either… Ok, ok, we’re still working on it! It’s all a spreadsheet now, and it’s probably already outdated (welcome, Harjeet!) This is why we decided to make this easy too. Coming soon!

Want to save time onboarding employees, increase security, and save money? Try YeshID’s dead simple IAM! Subscribe or contact Dana or Alex.