Feature availability: This article discusses Access Management features, which may require an upgrade or add-on. Refer to Vanta Plans and Pricing for details.
When personnel leave your company, you need to immediately deprovision all their accounts. This process can often be chaotic—it’s hard to know what accounts a person had and ensure the accounts are deprovisioned properly. Vanta’s personnel offboarding tool automates this process and centralizes evidence for your auditor.
Optional prerequisites
Connect Access integrations: Integrations are the lifeblood of Access Management - giving visibility into all the user accounts within that system. Before offboarding personnel, connect your key systems to Vanta. Learn more
Set security owners: When assigning deprovisioning tasks to system admins for terminated personnel, Vanta sets the default value to the system’s security owner in Vendors. By setting this field in advance, you’ll save yourself time later. Learn more
Set up Access Requests: When personnel are terminated, Vanta surfaces all their known accounts from past access requests, even for systems not integrated with Vanta. We recommend setting up Access Requests in Vanta if you haven’t yet to get full visibility. Learn more
Get started
From the left-hand navigation, select Personnel and then People.
On the People page, you can view all personnel who have been terminated.
Click on a terminated person and open the task to Deprovision accounts.
Review accounts and assign deprovisioning tasks
Once you’ve opened the task, you’ll see all the accounts owned by the terminated employee that are known to Vanta. There are two types of accounts:
Integrated accounts: These are accounts in systems that are integrated with Vanta. Vanta will automatically verify that these accounts are deprovisioned via the integration.
Manual accounts: These are accounts in systems that are not integrated with Vanta that are tracked from past access requests. The system’s admin (or you) will need to manually verify that the account has been deprovisioned.
For each account, you’ll need to either:
Assign the system admin responsible for deprovisioning the account. This should be the owner of the system (if this is you, assign it to yourself). This value will be auto-populated from the vendor security owner.
Reassign the account (if it’s being taken over by a current employee)
Coming soon: Soon, you will be able to automatically deprovision accounts for select systems directly from this page!
Review systems based on personnel groups and assign deprovisioning tasks
In some cases, you may want to check a system and confirm that the terminated employee does not have an account (or if they do, that it’s been deprovisioned) even when there isn’t a known account. You can accomplish this in Vanta by assigning specific systems to groups of employees on the Groups Page. If you take advantage of this functionality, the list of systems assigned will also appear on this page.
For each system, you’ll need to either:
Assign the system admin responsible for confirming no account exists (or deprovision it if it does)
Ignore the account (if confirmation is not needed)
Start the deprovisioning process
Once every account has a system admin assigned, click Start deprovisioning.
At this point, system admins will be assigned deprovisioning tasks and will receive notifications. Note: notifications are batched and can take up to 5 minutes.
Experience for system admins
Once the deprovisioning process is kicked off, system admins will be assigned the deprovisioning tasks. Each task contains the information the system admin needs to deprovision the account: the system name, account name, former owner, and entitlements.
Users can view all the deprovisioning tasks assigned to them on the Deprovisioning tasks page in Access. Note: owners of deprovisioning tasks can only see this page and will not get access to the People Page.
Once you receive a deprovisioning task, go into the relevant system and deprovision the account.
Once you’ve done so, click Confirm account as deprovisioned.
Note: if a system is integrated with Vanta, we will automatically close the task if we detect that the account has been deprovisioned.
Coming soon: System admins will be able to receive and complete deprovisioning tasks directly in Slack!
Monitor deprovisioning
Once deprovisioning tasks have been assigned, you can monitor the status of every account. For each account, you’ll also be able to:
View the associated deprovisioning task
Mark the account as deprovisioned + close the deprovisioning task (if this is an integrated account, you’ll need to override the status from the integration)
Open a URL to the system itself
For each account and system you’ll be able to see the status (whether or not the account has been deprovisioned). For each deprovisioned account, you can hover over the “Deprovisioned” status to view when it was verified as deprovisioned and how (via integration or if via manual confirm, who confirmed and when).
