Provisioning, Deprovisioning, Onboarding, Offboarding, or User Lifecycle Management, we all have terms we use for the starters, leavers and movers tasks we follow within our Google Workspace environment.
On the 17th June the UK and Ireland Community will be hosting another online event on this popular topic. Before then we’re interested to understand how others are managing this process?
What tools and scripts are you using?
Are you scripting and using tools like GAM, which is extremely popular amongst many Google Workspace for Education customers, or have your purchased Google Workspace management tools like BetterCloud or Patronum?
Have you taken advantage of the new Google Workspace licensing options for archived users?
When you create a new user, what processes have you automated? Do you use Google Apps Script to create Contracts, Training Records etc? Or something more sophisticated like Zenphi?
When it comes to offboarding there are a number of key steps, what are you doing in relation to:-
- Securing - Things like resetting passwords, wiping mobile devices.
- Delegating - Such as delegating groups, calendars, shared drives.
- Archiving - Moving files and folders, emails, calendar items.
- Reclaiming - Getting back your hardware etc.
- Deleting - Removing the account and reducing license count.
Let us know what your SLaM (Starters, Leavers and Movers) approach is.
In the past a lot of my scripting has been done with gam as I really love the way I can customise each command and dig deep into the API to build my own workflows. Not many UI tools can replicate everything I want to do ;) I am also just a sucker for the command line for some reason.
As a Google partner I always looked at UI tools to resell and recommend to my customers but they are either suuuper hard to justify in terms cost/benefit (but amazing if you can demonstrate the value; see BetterCloud) or just...look and function badly. So often enough we went and scripted stuff in gam, educated our clients in that tool, and worked with some other API based solution like Apps Script.
Just recently we started looking into the Freshservice “SaaS Management” and “Orchestration Center” as they launched those late last year and we are a heavy user ourselves & a reseller of them too. It's...clunky...but promising.
But lets go and talk about our future strategy:
We just launched our partnership with patronum.io that will allow all our recurring clients (Workspace, SaaS Ops Management, etc.) to take advantage of the tool for free. What I love about it is the clean interface, the ability to setup and manage Policies in a straight forward and understandable way, as well as the price.
Another sucker for command line tools here. While there are many CLI/GUI tools out there for automating user lifecycle management, there are not a lot of tools for exporting users’ emails. Your options are really
For customers that are coming from Microsoft, this is a big gap as Microsoft makes it easy to convert a user mailbox to a shared mailbox.
How is everyone handling email of a departed employee?
We’ve been on Google for ~5 years , initially we purchased one of the third party platforms as our management tool to handle some of our automation. We found there were limitations , and over time we started developing our own scripts to do things customized and automatic. We first started off with GAM and then eventually just started to code with the API directly as it offered the most granularity. As a result we were able to stop using that third party platform, save $$
Onboards are automated though our identify platform not much to do there.
Some Groups are assigned automatically, I have groups that are assigned based on Active Directory Attributes, AD Group member ships, Google Org Units, etc I use a custom built process to do this . Unfortunately the Google Dynamic Groups feature is useless for us as it does not allow the use of custom attributes.
I use a series of scheduled scripts. I detect when a user is suspended. The suspension would trigger the offboard. Offboard will included mobile account wipe, remove groups, revoking tokens, move them to a OU, revoking delegates , setting an automatic out of office, etc etc..
There are several independent process that run so I use a series of custom schema attributes to track items and progress. After the user is offboarded I have another processed that audits and revokes permissions to any externally shared files owned by the user, after a grace period , data transfer is kicked off to the manager.
Typically, the users manager will request delegate access, once they do, we use a custom process to grant the delegate access for a set period of time and I use attributes to track it, Then there are other processes that clean up the delegate access . If non exist or none was request after a set grace period (for the auto reply to take affect) . The accounts are then moved to another OU and Archived .
This approach isn't for everyone, it took a lot of development work to get there. In Theory you should be able to do pretty much everything with GAM commands, just with this level of automation i found its better to use the API directly.