Overview

Offboarding employees from applications is a critical task for IT administrators to ensure security and efficiency. Torii's offboarding feature allows the IT to:

• Easily understand who needs to be offboarded
• Initiate the offboarding automatically
• Automatically remove access from variety of apps and create offboarding tasks for the rest
• Audit the offboarding process

Let’s deep dive into how Torii offboarding works and how to leverage it to the maximum.

Prerequisites

In order for Torii offboarding to work accurately, you will need to:

1. Define user lifecycle source of truth (SOT)
2. Configure application offboarding methods in the Offboarding settings
3. Configure offboarding workflow

User Lifecycle Source of Truth and Offboarding

User lifecycle source of truth definition affects when a user in Torii is marked as a candidate for offboarding and is added to the Offboarding To-fo list on the Offboarding page.

Application Offboarding Configuration in Offboarding Settings

Torii offboarding will only work once you define application offboarding methods in Offboarding settings.

You need to go over all discovered apps and configure each app with a dedicated offboarding method.

The application offboarding method dictates the action taken on an app user when the offboarding process is initiated.

Note that for integrated apps, you need to define distinct offboarding methods for each connected account and for any "unmanaged" accounts. The "unmanaged" account includes users not detected through integration, such as those solely sourced from browser extension or SSO.

Available Offboarding Methods

Torii support 3 offboarding methods.

The methods can be configured per each app in the Configure pop-up window.

Let's look at them.

1. Automatic offboarding

• For integrated app accounts only - You can select any action out of the automatic actions supported by Torii for the configured app. E.g. for connected Atlassian account select to Delete Attlassian user or Deactivate Atlassian user.
• For all apps - in the absence of the available automatic action, you can select to use Torii custom action.
• For all apps - You can open tickets in Asana, Freshservice, Monday, ServiceNow or Zendesk.

The user will be marked as offboarded from the app in Torii the moment the configured automatic action was executed successfully. Note that Torii platform offers complete flexibility, allowing you to choose the offboarding actions that suit your specific needs. Hence, if a user is marked as "offboarded" from an application in Torii, it doesn't automatically imply that their access to that app has been terminated.

2. Delegate offboarding

This method is recommended for managed apps that are not integrated or aren’t supported by Torii automation.

• Send remove user request - This action triggers an email or Slack from Torii, requesting confirmation that the user is no longer associated with the app account. The recipient will be prompted to mark the request as Done. Once marked complete, Torii automatically updates the user's status as removed from the app.

Note that Torii cannot definitively confirm if the user has been removed; it relies entirely on the status reported by the task owner.

• Create Jira cloud issue - This action opens a Jira issue within the linked Jira account. Users will be prompted to specify the status for completed issues during the action's configuration. Torii will consistently monitor the open issue status and mark the user as offboarded from the app within Torii the moment the issue status changes as per the defined parameters. Read more about it here

We also support opening tickets in Asana, Freshservice, Monday, ServiceNow and Zendesk, although unlike in Jira, Torii does not actively monitor these tickets. Consequently, if any of these actions are defined as an app offboarding method in Torii, the user will be marked as offboarded from the app as soon as the ticket is opened.

3. Ignore offboarding

This method is recommended for apps that are taken care of outside Torii (e.g. via an identity provider like Okta or Jumpcloud) or unmanaged apps.

If an app is defined with the “Ignore” method, no action will be triggered when the offboarding is initiated, and the user will only be removed from the app’s current user list in Torii.

Offboarding Execution

Employee offboarding in Torii can be initiated:

1. Manually by clicking on the Start Offboarding button in the To-do list or User page.

2. Automatically by adding Torii action “Start offboarding” to a workflow.

Note that you can add more actions to your workflow, to make it optimized for your organizational process. See example here.

Once the offboarding initiates, corresponding offboarding actions are activated across all user apps based on the apps' configurations in the settings. The user transitions from the To-do page to the In-progress page, and their user page reflects the offboarding audit log, detailing progress for all apps from which the user is being offboarded.

The status of app offboarding in the log will automatically show as complete under the following circumstances:

1. For automatic offboardings: This occurs once the automatic action is successfully executed.
2. For delegated offboarding: It happens upon marking the task as "Done" or when the Jira ticket status changes to "Complete."
3. For ignored apps: This happens instantly when the user is removed from the app in Torii.

Once all apps are marked as complete, the entire offboarding process concludes automatically. The user transitions from the In-progress page to the Done page and will display the Offboarding badge when appearing on other pages within Torii.

You can audit employee’s offboarding from their user page, or via Actions audit log.

Note that offboarding actions execute for all apps the user has ever used, regardless of the user's current status in these apps. This means that the offboarding process will proceed even if a user is no longer active or listed in the app.

Offboarding Task Reminders

Torii provides the option to send reminders for offboarding tasks when the assigned task owners forget to complete these (i.e., do not mark their tasks as "Done"). These reminders are delivered via email or Slack based on a customizable schedule set in the Offboarding settings.

In situations where the same owner is assigned multiple tasks, a consolidated email or Slack message containing a link to the offboarding tasks web page will be sent to that specific owner.

Sample Slack message:

Sample offboarding tasks page:

Torii admins can monitor the status of delegated tasks on the Pending tasks page. Read more about it here.

Offboarding Best Practices

• Begin by configuring offboarding methods for the apps managed in Torii. If certain apps are managed outside of Torii, such as through Okta, only configure offboarding for the apps you want to manage within Torii.
• For all integrated apps, select automatic offboarding method, to cut user access automatically.
• For non-integrated managed apps, use the “Delegate” method, ideally by generating Jira tickets or sending requests via Slack.
• Remember to set up an offboarding method for every new app that becomes sanctioned in your organization.
• Once all managed apps are configured, enable the “Ignore non-configured apps during offboarding” option to prevent offboarding processes from being delayed due to missing configurations for unmanaged apps.
• Set up reminders for offboarding tasks in the Offboarding settings to ensure no delegated offboarding tasks are missed.
• Regularly check the Offboarding page to review the Pending tasks tab and monitor In-Progress offboarding processes. If certain tasks are delayed due to unresponsive task owners, follow up with them directly to ensure timely completion.
• Add the “Send approval request” action at the start of your offboarding workflow, before any offboarding actions. Configure it to send a Slack message to the IT manager, notifying them of the offboarding and asking for approval. This ensures that offboardings are triggered automatically while still allowing for a final review to prevent mistakes.
• Divide your offboarding workflow into multiple parts—one for actions that need to be completed immediately and another for actions that can be delayed. Add “Wait” action between them.
• Leverage theApp event workflow trigger to automate urgent offboardings.
• Use the User meets criteria workflow trigger with scheduling configuration to automate planned offboardings.