Skip to content

Leaver Access Revocation Chase

Example prompt: "When HR marks someone as leaving in our People sheet, work out which systems they've got access to, raise an IT ticket to revoke each one for their last day, and chase the owners so nothing is still open the morning after they leave."

The Problem

When someone leaves a company, the new-starter checklist gets all the attention and the leaver checklist gets a paragraph in the HR handover that says "IT to revoke access." A week after the leaving date the old laptop is still authorised against the CRM, the personal Gmail is still on the shared marketing inbox, and the Slack account is greyed out but the integration tokens it issued are still ticking through the API. The risk is small per leaver and large per company-year, and nobody is paid to notice the gap because the gap is invisible until an auditor or, worse, a press release pulls it into view.

How GloriaMundo Solves It

We build a workflow that triggers whenever the leaving-date column is filled in for a row in the HR People sheet. A code step looks up the leaver's role, team, and tenure against the same role-access matrix used by the new-starter provisioning workflow, and expands it into the list of systems they almost certainly hold accounts in — Google Workspace, Slack, the CRM, the design tools, the BI platform, the customer-support tool, the shared mailboxes by department, the company GitHub, the company password manager. An integration step raises a Jira ticket per system to the owner of that system with a clear due date — most for end of the last working day, a few earlier where the leaver has admin rights that should be handed over before, and a few later where there is a defined handover window. A conditional step sets up a chase ladder against the due date — three days before, the day before, and the morning after — that posts a Slack reminder to the system owner if the ticket is still open. The morning after the leaving date, an LLM step assembles a short summary for the IT lead listing every ticket, who has confirmed revocation and who has not, and any system that the leaver had elevated rights in. Glass Box preview shows the expanded ticket list, the chase schedule, and the drafted owner messages before anything is raised.

Example Workflow Steps

  1. Trigger (integration): A row in the HR People Google Sheet has its leaving-date column filled in.
  2. Step 1 (integration): Read the leaver's role, team, tenure, and any noted admin responsibilities from the same row, and pull the role-access matrix from the IT sheet.
  3. Step 2 (code): Expand the role and team into the list of systems the leaver is almost certainly active in, and tag the entries where the matrix shows elevated rights or shared-mailbox membership.
  4. Step 3 (integration): Raise a Jira ticket for each system to the listed system owner — most due at end of the last working day, with earlier dates where admin handover is needed and later dates where a defined handover window applies.
  5. Step 4 (conditional): For each open ticket, schedule a Slack reminder to the owner three days before the due date, the day before, and the morning after if it is still open.
  6. Step 5 (LLM): On the day after the leaving date, draft a short summary for the IT lead listing every ticket, its current state, and any system in which the leaver held elevated rights.
  7. Step 6 (integration): Send the summary as a Slack DM to the IT lead and append the row to the leaver audit log on Google Drive for the running record.

Integrations Used

  • Google Sheets — the HR People sheet that triggers the workflow, the role-access matrix, and the leaver audit log
  • Jira — the per-system revocation tickets raised to each system owner with a clear due date
  • Slack — the chase reminders to system owners and the morning-after summary DM to the IT lead
  • Gmail — the fallback email path for owners of systems whose admins are not on the Slack workspace

Who This Is For

IT operations and security leads at companies between 50 and 500 staff where Google Workspace and Slack are the centre of gravity but there is no central identity provider gluing every SaaS tool together, and the leaver checklist is the one that always slips.

Time & Cost Saved

A manual leaver run is 45 minutes to an hour of working out the list, raising the tickets, and chasing the owners — plus the unmeasured cost of the cases where one of the tickets is forgotten and a leaver retains access for weeks. The workflow does the list-building and the chase automatically; the saving is partly the IT lead's time and partly the much smaller window during which the company is carrying access risk on people who no longer work there.