Deprovisioning Access

To answer what is access deprovisioning in IAM, it is the systematic process of removing a user's identity and revoking their access to applications, data, and networks. It is a critical component of the identity lifecycle that ensures no unauthorized access remains after a user's role ends.

The CyberSecure Canada deprovisioning access requirements mandate that an organization must remove accounts and functionality when users no longer require them. This applies to employees who leave the company, as well as those who transfer to new roles where their previous permissions are no longer needed.

Access should be removed immediately upon an employee's departure, ideally as part of an automated deprovisioning workflow HRIS trigger. In the case of hostile terminations, the access revocation process must occur before or exactly as the employee is notified.

An effective employee offboarding checklist should include disabling the primary identity directory account, resetting shared passwords, wiping mobile devices, revoking VPN access, and reclaiming hardware. It must also serve as a comprehensive offboarding SaaS access removal checklist to ensure standalone apps are handled. Tools like WatchDog Security's Policy Management can help standardize the checklist with version control and ensure stakeholders acknowledge the procedure.

To prove compliance, organizations should retain a completed and signed account deactivation and access removal procedure for each departed employee. Auditors will cross-reference HR termination dates with system access logs to ensure accounts were disabled on time. Tools like WatchDog Security's Compliance Center can link this control to evidence requests and retain completed checklists, tickets, and access logs in one audit-ready record.

The joiner mover leaver (JML) deprovisioning process must cover all systems the user interacted with. This includes the core email directory, remote access VPNs, cloud infrastructure environments, individual endpoint devices, and any standalone SaaS applications not tied to a central SSO platform.

Organizations can automate user deprovisioning by linking an HR Information System directly to an identity provider. When a user is marked as terminated, the system automatically suspends the core account and uses SCIM provisioning protocols to revoke downstream SaaS access.

If a departing user had access to critical infrastructure, organizations must immediately rotate passwords for those shared resources. IT must explicitly follow an offboarding checklist remove API keys and shared accounts protocol to invalidate any personal access tokens generated by the user.

For contractor offboarding remove accounts and permissions immediately when their contract expires or project concludes. Best practices include setting hard expiration dates on contractor accounts upon creation, so their access is automatically disabled without requiring manual intervention.

Knowing how to find and remove orphaned accounts is essential if a manual offboarding step fails. Periodic user access reviews act as a safety net, allowing managers and IT to audit current permissions and spot active accounts belonging to users who have already left the organization. Tools like WatchDog Security's Asset Inventory can help identify SaaS applications and map identities so reviews can focus on high-risk or orphaned accounts.

Deprovisioning often fails when HR, IT, and app owners rely on informal handoffs and scattered tickets. Tools like WatchDog Security's Compliance Center can map this control to an offboarding workflow, assign evidence tasks (e.g., disable accounts, revoke VPN, rotate keys), and retain the resulting artifacts so auditors can verify timing and completion.

Orphaned accounts commonly occur when teams forget about standalone or rarely used SaaS tools outside of SSO. Tools like WatchDog Security's Asset Inventory can help maintain an up-to-date SaaS inventory and identity mapping so offboarding checklists include all relevant applications and account types.