Discover how to streamline user deprovisioning processes for Google Workspace, enhancing your data security and deploying data loss prevention measures. A must-have workflow for Google admins.
Table of Contents
Why automate the way you revoke Google Drive access
Offboarding tasks can consume valuable time for Google Workspace admins. Revoking access to confidential information as well as suspending departing employees is crucial but can also be time-consuming. Manual processes not only come with risk errors but also jeopardize data security. This errors can cost you dear: what if an employee is having a grunge against a company? Right after being notified that they’re not a part of the team, they can copy sensitive information, and later share it publicly. There’s a simple hustle-free way to avoid these scenarios completely by automating most of the steps.
In this example, we will go over how you can automate the steps of removing any files the employee had shared externally via email and link, signing the user out of all devices, updating the recovery email and phone for the user, and finally suspending the departing employee. Let’s get started!
Step 1: Set Up Your Zenphi Account
Zenphi is the #1 platform for automating Google Admin tasks. Begin by creating your free Zenphi account using this link. Once registered, you can start building your first automated flow.
In Zenphi, a ‘flow’ represents an automated workflow. It comprises a trigger, which initiates workflow execution, such as a Google Form response in this specific use case. Every time a Google Form response is submitted, the flow will automatically run through all the steps, ensuring quick and simple execution. You can also explore pre-built automation templates and discover a world of possibilities for your Google Workspace.
Step 2: Set Up The Flow
Our example workflow includes four key steps: selecting the departing employee from Google Directory, revoking sharing with a link and through email address to any files they currently possess, removing their access to company accounts which will also include changing their recovery information, and lastly suspending the user’s account
Trigger Utilized: Google Form Response Trigger
In this example, we will utilize the Google Form Response Trigger, which is ideal for this specific use case. By filling out a simple Google Form with the departing employee’s information, such as their email address, Zenphi will be able to take care of the rest! For this example, we will be adding four questions to the Google Form: the name and email of the departing user, as well as the preferred new recovery email and phone number. The response of these questions will be able to be accessed inside of our flow so add any questions you feel necessary to your workflow needs.
Step 3: Selecting the User & Locating Files They Are Sharing
The first step to enhancing data security is selecting the departing user. Our initial Zenphi action is ‘Lookup User Information,’ where we specify the account from which access needs to be revoked and files need to be reviewed. Set up your connection to Google Directory to enable Zenphi access to user data for the selected employee. Utilize the token picker, symbolized by a chain icon to the right of each field, to select data from the previous step.
We’ll use the token picker to choose the departing employee’s email, as mentioned in the previous trigger step. Simply open the trigger and select the token with the employee’s email. For the next steps, we’ll continue using this information in the same way.
Before we proceed to make changes to the account and suspend the user, it’s crucial to consider that they may have shared files that we don’t want to continue sharing once the user departs. To handle this, we’ve added a ‘List User’s Shared Files’ action. This action is set up to identify files and folders shared using an external email address or shared with a link.
Step 4: Removing Access To Shared Files & Log Out Process
To remove access to the files we retrieved in the previous action we will be using the ‘List User’s Shared Files’ and ‘Remove Sharing’ actions.
We use the first action to get a list of files which the user has shared.
We’ve also created a Foreach loop that will go through all of these files to remove sharing. However, the ‘Remove Sharing’ action required to do so needs the permission ID of each file.
Therefore, we must use the ‘List Permissions’ action to retrieve this needed field. Afterward, we can delete the sharing from each file to ensure that even after suspending their account, there is no way they have access to these files from a different account that may belong to the departing employee or anyone else who we don’t have to have access to these files.
Exiting the loop we’ve created and having removed the sharing from these files for the departing user, we’ll proceed to use the ‘Sign Out User’ action. With this action, we ensure they are logged out from all devices before proceeding to the next steps.
Step 5: Generating New Password & Updating Recovery Information For The Account
Ensuring information security is paramount, especially after signing out a departing employee. It’s crucial to change their password to prevent further access to their account as well as prevent them from being able to request a new password. To achieve this, we’ll utilize two Zenphi actions: ‘Generate Password’ and ‘Update User’.
With the ‘Generate Password’ action, you can specify criteria for creating a unique and secure password.
Next, using the ‘Update User’ action, we’ll configure it to update the password for the designated user. Then, simply indicate the new password, in this case, the one previously generated. Once we change their password, we want to ensure that they are unable to request a new password and access their account once again.
For this, we will need to update their Recovery Email as well as their Recovery Phone to prevent this from happening. This can also be done with the ‘Update User’ action that we just made use of. We will need one action for the email and another for the phone.
Similar to the previous step, we will indicate the email of the User, and for the selected field, we will select the Recovery Phone for one action and the Recovery email for the 2nd action. Again, using the token picker, we’re able to insert the new recovery information by taking the desired email and phone from the response submitted.
Step 6: Suspending The User
As an additional layer of security, we’ve included the “Suspend User” action. This powerful feature enables the suspension and archiving of users if required. Simply specify the user’s email address and whether they should be suspended, archived, or both. This is an ideal moment to suspend the user, given that we’ve already ensured they’re logged out, changed their password/recovery information, and no longer have access to their account.
Please note that depending on your situation, you may first want to change the user’s password and password recovery email. Then sign the user out of their account, and proceed to revoke access to any files the user has shared externally. The final step would be to suspend the user’s account.
Step 7: Test & Run The Flow
By automating access revocation for departing employees with Zenphi, you’ll save valuable time and enhance data security effortlessly. With Zenphi, the entire process of revoking access can be completed in just seconds by simply filling out a Google Form. Start saving time, enhancing productivity, and streamlining your workflow with the steps provided in this comprehensive guide. If you have any questions or wish to see a live demo tailored to your specific workflow needs, feel free to book a demo meeting with our team.
Watch a full video tutorial that explains how you can revoke access to Google Drive automatically.
Talk to us
Using a more refined procedure to manage Google Workspace offboarding? Let us help you to build the automated flow to support it!
