Offboarding Validation Checklist

Before you begin

1. Verify each application in your environment is either set to disable or delete services users on termination.

2. Verify any Dynamic Database applications have the appropriate disable or delete queries provided in the Application SQL configuration

   1. You only need one or the other (Disable or Delete) 

3. Verify that each Application has the correct Trust Permission

1. Create custom “Identity Terminated” workflow with a Condition to limit the scope of the workflow

   1. Provide a name that makes it obvious this Role is for testing

   2. Add Trigger: Identity Terminated

   3. Add Condition: Identity Attributes or Identity Roles (to limit the scope of workflow for testing)

      1. Configure the Conditions scope to save

   4. Optional: Add any approvals (Action: Termination - Approval Request) in the workflow before the provisioning step.

      1. Configure the options to save.

   5. Add Action: DeProvision Identity

   6. Add Action: Terminate an Identity

   7. Optional: Add any notifications (Action: Send Email - Termination Alert) to the workflow as needed for your process.

   8. Click the blue Save button in the upper right

2. Modify or disable your original “Identity Terminated” workflow so it does not terminate users (your custom workflow above handles the scope of your testing).

   1. Remove Action: DeProvision Identity

   2. Remove Action: Terminate an Identity

   3. Optional: Remove Action: Send Email - Termination Alert

3. Enable your custom Identity Terminated workflow

4. Record the list of applications and entitlements attached to the Identity you plan to use for testing.

5. Using an existing Test user in your HRIS with the appropriate attributes to match your Organizational Units

   1. Terminate this user 

6. Wait or Sync the above application to trigger Clarity to pull in the user changes

   1. After the sync is complete, refresh your webpage, and search for your Test user.

7. Verify in Clarity that you see both Entitlements have been removed and application service users disabled or deleted (depending on your configuration).

8. For each application previously on the Identity, check that the downstream Service User was deleted or disabled as configured (Not all connectors have both options disable and delete, if one is not available this is due to API limitations of the vendor).

   1. For each application configured for disable on termination, check if the list of entitlements previously associated with the Identity have been removed.

9. Disable any custom workflows created for testing (these typically have additional steps such as Conditions, which limited the scope for testing.

10. Re-Enable or add the steps removed above from your original Identity Terminated workflow

    1. Duplicate any desired approvals or notifications from your tests.