Quick Summary: When HR can't move fast enough, Oleria, an AI-native identity security & governance platform, enables emergency offboarding access removal by letting IAM admins instantly revoke access across every connected app — no HRIS event required.
HR systems sometimes lag the actual departure. A surprise termination fires Friday afternoon; HR's offboarding ticket lands Tuesday. Three business days of standing access. A contractor's project ends earlier than the contract end date HRIS has on record. A security incident demands immediate access removal; the standard HR offboarding flow is too slow. Most identity tools wait for HRIS to flip the termination flag — security teams have no path to fire the leaver workflow themselves.
The result: the highest-risk offboarding scenarios run on the slowest path. The audit gap is real — and any incident that requires immediate access removal exposes the gap publicly.
Manual leaver designation is deterministic, not AI-driven. The intelligence is in the access graph — which apps, groups, and NHIs the employee touches. Once designated, revocation runs the same connector-aware, fault-tolerant engine that powers HRIS-triggered offboarding.
Time from termination decision to access removal Days → minutes
Manual offboarding tickets to IT Eliminated for connected apps
Audit gap on emergency offboarding Eliminated
Brittleness when HRIS lags Eliminated
Voluntary resignations typically follow the HRIS-triggered scheduled-leaver path — HR records the end date, the offboarding workflow runs on schedule, access wraps up cleanly. Manual designation is the override for cases where the standard path is too slow: surprise terminations, security incidents, contractor end dates that beat HRIS. Both produce audit-grade revocation; the difference is timing and trigger.
Same as D-23 (HRIS-triggered leaver): every connected app, every group membership, every NHI owned by the leaver flagged for re-attribution. Sessions logged out where the connector supports it. ITSM tickets auto-created for non-write integrations. The revocation surface is the full access graph, not a partial set.
Correlation window catches duplicates. When HRIS eventually flips the termination flag, Oleria checks for an existing matching workflow within the correlation window. If a manually-designated workflow exists, no duplicate fires. Audit captures both signals — the manual designation (with reason) and the eventual HRIS confirmation — so security and HR records reconcile cleanly without operator action.
IAM admin role; configurable per-organization. Higher-tier override may be required for senior employees or specific identity classes. Per-organization RBAC determines who can fire — typically a small group on the IAM team with security-incident-response responsibilities.
Same end state: full revocation across connected apps, group memberships removed, NHIs flagged for re-attribution, ITSM tickets fired for non-write integrations. The differences are who fires the workflow (IAM admin from the Oleria console, not HRIS) and the timing (immediate, not on the HRIS-triggered scheduled-leaver cadence). Audit distinguishes manual designations from HRIS-triggered for follow-up.
Surprise terminations, security incidents, contractor end dates that beat HRIS, post-acquisition departures before the new HRIS feed catches up, and any case where waiting for HRIS introduces unacceptable risk. The manual path runs the same revocation engine as the HRIS-triggered leaver workflow but with no scheduled delay.
