Access Provisioning/De-provisioning Procedure
| Property | Value |
|---|
| Document ID | PROC-001 |
| Version | 1.0 |
| Status | Draft |
| Owner | IT Operations Manager |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | SOC 2: CC6.1, CC6.2, CC6.3 / ISO 27001: A.9.2 |
| Parent Policy | Access Control Policy (POL-002) |
1. Purpose
This procedure defines the steps for provisioning and de-provisioning user access to organizational systems and applications. It ensures consistent, authorized, and timely management of user access throughout the employee lifecycle.
2. Scope
This procedure applies to:
- Access Types: All system, application, and data access
- Users: Employees, contractors, consultants, and third-party users
- Lifecycle Events: New hire, role change, transfer, leave of absence, termination
- Responsible Parties: HR, IT Operations, Managers, Security
3. Access Provisioning (Onboarding)
3.1 New Employee Access Request
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ HR Creates │───▶│ Manager │───▶│ IT Receives │───▶│ IT Provisions│───▶│ Access │
│ Ticket │ │ Approves │ │ Request │ │ Access │ │ Confirmed │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
3.2 Provisioning Steps
| Step | Action | Owner | Timeline | Notes |
|---|
| 1 | HR initiates access request in ticketing system | HR | Start date - 5 days | Include role, department, manager |
| 2 | Manager reviews and approves access requirements | Manager | Within 24 hours | Specify required systems and roles |
| 3 | IT creates user account in identity provider | IT Operations | Within 24 hours | Unique username, temporary password |
| 4 | IT assigns role-based access (RBAC) | IT Operations | With account creation | Per approved role template |
| 5 | IT provisions email and collaboration tools | IT Operations | Within 24 hours | Google Workspace, Slack, etc. |
| 6 | IT provisions application access per role | IT Operations | Within 48 hours | Per role access matrix |
| 7 | MFA enrollment completed | New User | Day 1 | Required before system access |
| 8 | Access confirmation sent to manager | IT Operations | Upon completion | List of access granted |
| 9 | Ticket closed with documentation | IT Operations | Upon completion | Record of all access provisioned |
3.3 Role-Based Access Templates
Standard roles with pre-defined access packages:
| Role | Core Access | Additional Access (Request Required) |
|---|
| All Employees | Email, Slack, HR portal, Intranet | N/A |
| Engineering | GitHub, CI/CD, Dev environments | Production access, Admin consoles |
| Sales | CRM (Salesforce/HubSpot), Sales tools | Financial reports |
| Finance | Accounting systems, Financial reports | Payment processing |
| HR | HRIS, Recruiting tools | Payroll admin |
| Support | Support platform, Knowledge base | Admin dashboards |
| Admin/Exec | All standard + Dashboard access | As requested |
3.4 Checklist: New Employee Access
4. Access Modification (Role Change/Transfer)
4.1 Role Change Process
| Step | Action | Owner | Timeline |
|---|
| 1 | HR/Manager submits role change request | HR/Manager | Before effective date |
| 2 | New manager approves new access requirements | New Manager | Within 24 hours |
| 3 | Old manager confirms access to be removed | Old Manager | Within 24 hours |
| 4 | IT modifies access per new role | IT Operations | Within 48 hours |
| 5 | IT removes access from previous role | IT Operations | Within 48 hours |
| 6 | Confirmation sent to both managers | IT Operations | Upon completion |
4.2 Checklist: Role Change
5. Access De-provisioning (Offboarding)
5.1 Termination Types and Timelines
| Termination Type | Access Revocation Timeline | Notes |
|---|
| Involuntary (Immediate) | Immediate (within 15 minutes) | Disable all access before notification |
| Voluntary (Resignation) | End of last business day | Standard 2-week notice |
| Contractor End | End of contract date | Planned in advance |
| Leave of Absence | Per HR guidance | May suspend rather than revoke |
5.2 Involuntary Termination Process
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ HR Notifies │───▶│ IT Disables │───▶│ Disable │───▶│ Revoke │───▶│ Confirm & │
│ IT │ │ IdP │ │ Email │ │ All Access │ │ Document │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
│ │ │ │ │
▼ ▼ ▼ ▼ ▼
Urgent flag < 15 min Immediately All systems Ticket closed
within 1 hr with evidence
5.3 De-provisioning Steps
| Step | Action | Owner | Timeline |
|---|
| 1 | HR notifies IT of termination | HR | Per termination type |
| 2 | Disable account in identity provider (IdP) | IT Operations | Immediate |
| 3 | Revoke email access | IT Operations | Immediate |
| 4 | Revoke SSO sessions | IT Operations | Immediate |
| 5 | Disable/revoke VPN access | IT Operations | Immediate |
| 6 | Revoke application access (non-SSO) | IT Operations | Within 4 hours |
| 7 | Reset shared credentials (if applicable) | IT Operations | Within 24 hours |
| 8 | Transfer ownership of files/data to manager | IT Operations | Within 48 hours |
| 9 | Archive email (if required) | IT Operations | Per retention policy |
| 10 | Recover company devices | IT/Facilities | Upon termination |
| 11 | Document completion and confirm | IT Operations | Upon completion |
5.4 Checklist: Employee Offboarding
Immediate Actions:
Within 4 Hours:
Within 24 Hours:
Within 48 Hours:
5.5 System-Specific De-provisioning
| System | De-provisioning Method | Notes |
|---|
| Google Workspace | Suspend user, transfer data | Archive for 1 year |
| Okta/Supabase Auth | Deactivate user | SSO sessions invalidated |
| AWS IAM | Remove user, delete access keys | Verify no resources owned |
| GitHub | Remove from organization | Transfer repo ownership if needed |
| Slack | Deactivate user | Data retained per policy |
| Salesforce | Deactivate user | Reassign ownership |
6. Contractor/Third-Party Access
6.1 Contractor Onboarding
| Step | Action | Owner | Timeline |
|---|
| 1 | Contract executed with security terms | Procurement/Legal | Before access |
| 2 | Sponsor (internal) submits access request | Sponsor | Before start date |
| 3 | Security approves access level | Security | Within 48 hours |
| 4 | IT provisions time-limited access | IT Operations | Before start date |
| 5 | MFA enrollment completed | Contractor | Day 1 |
6.2 Contractor Offboarding
Same process as employee, but:
- Access automatically expires on contract end date
- Sponsor receives reminder 7 days before expiration
- Extension requires new request and approval
7. Access Request Form Fields
| Field | Required | Description |
|---|
| Requestor | Yes | Person making the request |
| User | Yes | Person needing access |
| Request Type | Yes | New hire, modification, termination |
| Start Date | Yes | Effective date |
| End Date | For contractors | Access expiration |
| Role/Title | Yes | Job role for RBAC |
| Department | Yes | Business unit |
| Manager | Yes | Reporting manager |
| Systems Requested | Yes | Specific applications/systems |
| Business Justification | For non-standard | Reason for access |
| Approver | Yes | Manager or system owner |
8. Evidence Requirements
| Evidence Type | Description | Location | Retention |
|---|
| Access Request Tickets | All provisioning/de-provisioning requests | Ticketing system | 3 years |
| Approval Records | Manager/owner approvals | Ticketing system | 3 years |
| IdP Audit Logs | Account creation/disable timestamps | IdP audit logs | 1 year |
| Termination Confirmations | Evidence of timely access removal | Ticketing system | 3 years |
| Access Logs | Login attempts post-termination (should be none) | SIEM | 90 days |
9. Metrics and SLAs
| Metric | Target | Measurement |
|---|
| New hire access provisioned | By start date | % completed on time |
| Voluntary termination access revoked | End of last day | % completed on time |
| Involuntary termination access revoked | Within 15 minutes | Time from notification |
| Access request completion | Within 48 hours | Average completion time |
| Access review completion | 100% quarterly | % of reviews completed |
10. Exceptions
Exceptions to standard provisioning require:
- Written business justification
- Manager and Security approval
- Time-limited duration
- Enhanced monitoring
- Documentation in ticket
11. Related Documents
12. Version History
| Version | Date | Author | Changes |
|---|
| 1.0 | 2026-01-11 | IT Operations | Initial release |
| | | |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.