Offboarding via…
- Slack
- Admin Interface
- HRIS Integration
Open the AccessOwl home tab and click the button “Offboard User”
Scheduled Offboarding
Scheduled offboarding ensures access is revoked on the user’s last day. You can set a future date and time when triggering offboarding through any of the methods above. Plans can change, so scheduled offboardings are flexible. Stakeholders (excluding the offboardee) receive notifications, and if a central notification channel is defined, it includes a link to reschedule.In case the scheduled offboarding was manually triggered, the requestor also receives a notification. If no central notification channel is defined, the notification includes a link to reschedule the offboarding. Otherwise, the requestor’s notification does not contain a rescheduling link.
Employee Leave
When an employee goes on extended leave, their account in Google Workspace or Microsoft 365 is typically suspended by your IT admin. AccessOwl syncs user statuses directly from these directory services, so the status change is handled automatically. When an account is suspended: When a user is suspended, AccessOwl detects the change on the next sync, sets the user’s status to Inactive, and deactivates the user in AccessOwl. Assigned applications are not removed by default, so the user’s profile will still show access to the applications currently listed. If needed, you can remove application assigned to the user When the employee returns from leave: Once the account is reactivated in Google Workspace or Microsoft 365, AccessOwl detects the change on the next sync. The user will still appear as deactivated in AccessOwl, but their Google Workspace or Microsoft 365 access will automatically show as active again. To fully restore the user in AccessOwl, open the user’s profile and click Reactivate. All other application access tracked in AccessOwl remains unchanged from before the leave.AccessOwl syncs with your directory approximately every 3 hours. After re-enabling an account, the status update in AccessOwl may take up to one sync cycle to reflect.
Terminated Users with Access
After offboarding completes, some users may still have remaining access to applications - for example, apps that require manual removal or apps where deprovisioning was not yet configured. You can find these users in the Terminated Users with Access tab. Go to Users and select the Terminated Users with Access tab. From this tab you can remove remaining access in bulk:Open the Terminated Users with Access tab
Go to Users and click the Terminated Users with Access tab.
FAQ
What if my HRIS has multiple end dates?
What if my HRIS has multiple end dates?
AccessOwl uses a single termination date from your HRIS to trigger offboarding. If your HRIS has multiple date fields (for example, a “last working day” and a “contract end date”), AccessOwl reads one of them. You can check which date field is being used in your HRIS integration settings.It is not possible to use different dates for different applications today.
What happens if a user is reactivated in Google Workspace after being offboarded?
What happens if a user is reactivated in Google Workspace after being offboarded?
If someone reactivates a user directly in Google Workspace (for example, to access their files or emails), AccessOwl detects the active account during the next directory sync and shows the user as active again. This is expected behavior.To track these events, go to the Reports tab in the admin interface. You can filter by user to see the full history of status changes, including when they were offboarded and when the sync picked up the reactivation. Reports can also be exported as CSV.
Why does an offboarded user still show access to some applications?
Why does an offboarded user still show access to some applications?
Offboarding completes once AccessOwl has done everything it can automatically. It suspends the user’s Google Workspace or Microsoft 365 account, revokes every access that is managed through a live integration, and notifies the application admin for any app that requires manual removal.Anything still listed afterwards is usually discovered access, not access AccessOwl provisioned. Discovered access comes from shadow IT detection (for example, a “Sign in with Google” login), so it only tells you the person used the app at some point, not whether a separate account still exists or what permissions it holds. Because AccessOwl never granted that access, there is nothing for it to revoke automatically, so it surfaces the access for you to review. This is by design: discovery acts as a safety net to catch accounts you might otherwise miss, especially for apps with no integration.To clear a remaining access, open the user’s profile and click the red X next to the access. For discovered apps that are personal or irrelevant, Ignore them so they stop appearing during offboarding.
Discovered access (for example, access detected via “Sign in with Google”) does not appear in the Terminated Users with Access tab, because AccessOwl never granted it. Clear it directly from the user’s profile with the red X. The Terminated Users with Access tab covers access that AccessOwl manages but still needs removal.
Why does a discovered app show as removed after offboarding when AccessOwl never granted that access?
Why does a discovered app show as removed after offboarding when AccessOwl never granted that access?
This is expected. AccessOwl detected that access through a “Sign in with Google” login, not by provisioning an account. When offboarding suspends the user’s Google Workspace account, that sign-in path stops resolving, so the discovered access drops to removed on its own.It means the access AccessOwl could see is gone, not that AccessOwl signed into the app and deleted an account. If the person also had a separate account in that app that does not depend on Google sign-in, that account still exists and needs to be removed manually in the app.