All use cases
IT & DevOps

Onboarding and Offboarding Automation

Turn Workday status changes into same-day provisioning in Okta and Google Admin, and revoke access the moment someone leaves.

WorkdayOktaGoogle Admin

The problem

IT learns about hires and exits through tickets that arrive late or not at all. New employees wait days for accounts, and departed employees keep access far longer than any auditor would like. Every manual step is another chance to miss one.

How it runs on Neblex

Poll-based change detection watches Workday for worker events, catching new hires, transfers, and terminations through cursors and content hashing. A built-in Data Table maps department, role, and location to the groups, apps, and licenses each person should get, so IT edits a table instead of the flow.

For a hire, the flow fans out in parallel to Okta and Google Admin with bounded concurrency: account creation, group memberships, and mailbox setup run side by side. Requests for privileged access pause at an approval step in the task inbox, with SLA timers and business-hours-aware escalation so day one does not slip. If a downstream call fails, saga-style compensation unwinds the partial setup and the run can be replayed from the failed step.

For a termination, the same flow deactivates the Okta account and revokes Google sessions as soon as the event lands. Every action is recorded in a tamper-evident, hash-chained audit trail.

Step by step

1

Detect the HR event

Poll-based change detection picks up hires, transfers, and terminations in Workday.

2

Resolve the access profile

A Data Table lookup turns department and role into concrete groups, apps, and licenses.

3

Provision in parallel

Okta and Google Admin steps run as a parallel fan-out with bounded concurrency.

4

Approve privileged access

Sensitive grants pause for approval in the task inbox with SLA timers.

5

Revoke on exit

Termination events deactivate accounts and revoke sessions without waiting for a ticket.

6

Keep the audit record

A hash-chained audit trail and event-sourced run history document every grant and revocation.

Platform capabilities used

  • Poll-based change detection
  • Parallel fan-out with bounded concurrency
  • Data Tables for lookup
  • Approval steps with SLA timers
  • Saga-style compensation
  • Tamper-evident audit trail

Common questions

Can this reach systems inside our network?

Yes. On-Prem Workers run flows inside your own network over an outbound-only connection, so the flow can provision directory services and internal apps you never expose to the internet. For flows on On-Prem Workers, business data is processed inside your network.

What if provisioning fails halfway through?

Saga-style compensation unwinds the partial setup so you are not left with a half-provisioned account. Once the cause is fixed, the run replays from the exact step that broke.

How do we prove to auditors that access was removed?

Every run is event-sourced and every action lands in a tamper-evident, hash-chained audit trail. You can show exactly when a termination was detected and when each revocation completed.

Want this running on your stack?

Neblex Integration Fabric is in beta: full platform, free while in beta. Bring this workflow and we will map it to your systems.