Recent announcements got me thinking about how to deprovision executives such as a Pope. Never had to deprovision a Pope before? No worries. We’ve come up with a sure-fire 6 step process guaranteed to help you help your Pope incur a separation from payroll.
Step 1 – Listen to HR
In order to kick off the deprovisioning process, ensure that the user provisioning system can, in fact, know that someone has left the organization; the most common way to do that is to “listen” to the HR system. Got that set up? Good. Oh wait, did HR actually submit his status change to ‘Abdicated?’ Does the user provisioning system actually know how to process ‘Abdicated’ status codes instead of ‘Terminated?’ Say a Hail Mary and proceed to Step 2
Step 2 – Disassociate said Pope from super-user accounts
Assuming the user provisioning system knows that your Pope is abdicating, the next step is make sure the he doesn’t “own” any god-like, privileged accounts such as root, domain administrator, SYSOPER, etc. You’d hate it if, whilst processing the deprovisioning event, the user provisioning system wipes out a crucial (often really hard to recover) account. Run a report, check to see if your Pope has some privileged accounts, and if he does, reassign ownership to someone else.
Step 3 – Do Not Delete!
The thing is – you don’t actually want to delete your Pope’s accounts when he abdicates. That would be really really bad. Why? Because all of his emails, the animated gifs of cats he collected, and all other work (and non-work) related stuff needs to go into the special archive where Pope-related materials go for later study. To prevent loss of future discoveries such as the Pope’s draft for a vampire ninja manga, make sure the user provisioning system sends ‘suspend’ verbs instead of ‘delete.’
Step 4 – Wait and See
You’ve got two weeks before your Pope abdicates. Now would be a good time to crank up the monitoring – just in case. Your Pope was a beloved leader but, let’s face it, if he walks off the job with the entire donor’s list and sells it to a multi-tiered marketing firm, the outraged donors will be coming after information security.
Step 5 – Untangle workflow
Your Pope was kind enough to give you two weeks notice. This is not only polite but very much needed. You should spend those two weeks identifying where the Pope is a workflow approver and removing him from those workflows. You do not want a new hire’s request for the keys to the kingdom waiting on your Pope’s approval. Don’t forget those segregation of duty violation workflows either. And access certifications. And… well, you’ll be busy in those two short weeks.
Step 6 – Cake. Cards. Credentials.
On the day your Pope leaves, throw him a party. Lots of cake for everyone and make sure the ratio of cake to people is correct. Make sure there are multiple heartfelt cards wishing him well in his new endeavors. Meanwhile, as the user provisioning system is instructing its connectors to suspend (and not delete) his accounts, make sure to tactfully ask for your Pope’s smart cards, hardware OTP tokens, and any other credential materials you issued him. Yes, the user provisioning will sweep up the mess, but it’s just good form to recover those IT assets and the boys and girls in Accounting will thank you later. Oh, and don’t forget the things the provisioning system won’t likely clean up such as access to shared social media accounts. Last minute, sugary cake-induced tweets can be surprising, at best.
So the next time your Pope, CEO, President, or Grand Poohbah moves on to greener pastures, be sure to follow our easy 6 step process for a safe and successful deprovisioning.
Awesome and inspiring post.
I like it.