Secure removal of access rights and accounts when leaving or changing roles

Explanation of terms

Deprovisioning refers to the process by which digital identities and access rights are withdrawn in a controlled manner, e.g. when an employee leaves the company or moves to a new role. The aim is to prevent unauthorized access to systems, data and applications.

Why is deprovisioning important?

Deprovisioning is a central component of identity lifecycle management. It ensures that user accounts and access rights are removed or deactivated as soon as they are no longer required. If this step is neglected, security risks arise such as orphaned accounts, excessive authorizations or unmonitored user access, which are ideal entry points for attackers or malicious insiders. In addition, timely deprovisioning is essential in order to meet compliance requirements from standards such as ISO 27001, SOX or GDPR.

When is deprovisioning necessary?

Deprovisioning should take place in the following situations:

• When an employee leaves the company
• After completion of a project or temporary assignment
• When changing roles, if the access requirements change
• When decommissioning service accounts, test or temporary accounts

In these cases, all rights should be revoked, passwords changed and, if necessary, the account deactivated to prevent misuse.