Secure removal of access rights and accounts upon departure or change of role

definition of terms

Deprovisioning refers to the process of controlled withdrawal of digital identities and access rights, e.g., when an employee leaves the company or changes to a new role. The aim is to prevent unauthorized access to systems, data, and applications.

Why is deprovisioning important?

Deprovisioning is a key component of identity lifecycle management. It ensures that user accounts and access rights are removed or deactivated as soon as they are no longer needed. Neglecting this step creates security risks such as orphaned accounts, excessive permissions, or unmonitored user access, which are ideal entry points for attackers or malicious insiders. In addition, timely deprovisioning is essential to meet compliance requirements from standards such as ISO 27001, SOX, or GDPR.

When is deprovisioning necessary?

Deprovisioning should take place in the following situations:

• When an employee leaves the company
• After completion of a project or temporary assignment
• When roles change, when access requirements change
• When deactivating service accounts, test accounts, or temporary accounts

In such cases, all rights should be revoked, passwords changed, and, if necessary, the account deactivated to prevent misuse.