Onboarding and Offboarding Automation
Turn Workday status changes into same-day provisioning in Okta and Google Admin, and revoke access the moment someone leaves.
The problem
IT learns about hires and exits through tickets that arrive late or not at all. New employees wait days for accounts, and departed employees keep access far longer than any auditor would like. Every manual step is another chance to miss one.
How it runs on Neblex
Poll-based change detection watches Workday for worker events, catching new hires, transfers, and terminations through cursors and content hashing. A built-in Data Table maps department, role, and location to the groups, apps, and licenses each person should get, so IT edits a table instead of the flow.
For a hire, the flow fans out in parallel to Okta and Google Admin with bounded concurrency: account creation, group memberships, and mailbox setup run side by side. Requests for privileged access pause at an approval step in the task inbox, with SLA timers and business-hours-aware escalation so day one does not slip. If a downstream call fails, saga-style compensation unwinds the partial setup and the run can be replayed from the failed step.
For a termination, the same flow deactivates the Okta account and revokes Google sessions as soon as the event lands. Every action is recorded in a tamper-evident, hash-chained audit trail.
Step by step
Detect the HR event
Poll-based change detection picks up hires, transfers, and terminations in Workday.
Resolve the access profile
A Data Table lookup turns department and role into concrete groups, apps, and licenses.
Provision in parallel
Okta and Google Admin steps run as a parallel fan-out with bounded concurrency.
Approve privileged access
Sensitive grants pause for approval in the task inbox with SLA timers.
Revoke on exit
Termination events deactivate accounts and revoke sessions without waiting for a ticket.
Keep the audit record
A hash-chained audit trail and event-sourced run history document every grant and revocation.
Platform capabilities used
- Poll-based change detection
- Parallel fan-out with bounded concurrency
- Data Tables for lookup
- Approval steps with SLA timers
- Saga-style compensation
- Tamper-evident audit trail
Common questions
Can this reach systems inside our network?
Yes. On-Prem Workers run flows inside your own network over an outbound-only connection, so the flow can provision directory services and internal apps you never expose to the internet. For flows on On-Prem Workers, business data is processed inside your network.
What if provisioning fails halfway through?
Saga-style compensation unwinds the partial setup so you are not left with a half-provisioned account. Once the cause is fixed, the run replays from the exact step that broke.
How do we prove to auditors that access was removed?
Every run is event-sourced and every action lands in a tamper-evident, hash-chained audit trail. You can show exactly when a termination was detected and when each revocation completed.
Related use cases
New-Hire Provisioning
Start account creation, equipment requests, and a day-one welcome sequence in Slack the moment an offer is accepted in Greenhouse.
SecOpsAccess Anomaly Response
Detect unusual login and permission-change events, open an investigation, and suspend access pending human review with a full audit trail.
AgenticIT Access Review Agent
An agent reviews access requests against role and policy, approves routine ones under set guardrails, and routes ambiguous cases to a human with reasoning.
Want this running on your stack?
Neblex Integration Fabric is in beta: full platform, free while in beta. Bring this workflow and we will map it to your systems.