Blog post

How to Deprovision a Pope in 6 Easy Steps

By Ian Glazer | February 12, 2013 | 13 Comments

Recent announcements got me thinking about how to deprovision executives such as a Pope. Never had to deprovision a Pope before? No worries. We’ve come up with a sure-fire 6 step process guaranteed to help you help your Pope incur a separation from payroll.

Step 1 – Listen to HR

In order to kick off the deprovisioning process, ensure that the user provisioning system can, in fact, know that someone has left the organization; the most common way to do that is to “listen” to the HR system. Got that set up? Good. Oh wait, did HR actually submit his status change to ‘Abdicated?’ Does the user provisioning system actually know how to process ‘Abdicated’ status codes instead of ‘Terminated?’ Say a Hail Mary and proceed to Step 2

Step 2 – Disassociate said Pope from super-user accounts

Assuming the user provisioning system knows that your Pope is abdicating, the next step is make sure the he doesn’t “own” any god-like, privileged accounts such as root, domain administrator, SYSOPER, etc. You’d hate it if, whilst processing the deprovisioning event, the user provisioning system wipes out a crucial (often really hard to recover) account. Run a report, check to see if your Pope has some privileged accounts, and if he does, reassign ownership to someone else.

Step 3 – Do Not Delete!

The thing is – you don’t actually want to delete your Pope’s accounts when he abdicates. That would be really really bad. Why? Because all of his emails, the animated gifs of cats he collected, and all other work (and non-work) related stuff needs to go into the special archive where Pope-related materials go for later study. To prevent loss of future discoveries such as the Pope’s draft for a vampire ninja manga, make sure the user provisioning system sends ‘suspend’ verbs instead of ‘delete.’

Step 4 – Wait and See

You’ve got two weeks before your Pope abdicates. Now would be a good time to crank up the monitoring – just in case. Your Pope was a beloved leader but, let’s face it, if he walks off the job with the entire donor’s list and sells it to a multi-tiered marketing firm, the outraged donors will be coming after information security.

Step 5 – Untangle workflow

Your Pope was kind enough to give you two weeks notice. This is not only polite but very much needed. You should spend those two weeks identifying where the Pope is a workflow approver and removing him from those workflows. You do not want a new hire’s request for the keys to the kingdom waiting on your Pope’s approval. Don’t forget those segregation of duty violation workflows either. And access certifications. And… well, you’ll be busy in those two short weeks.

Step 6 – Cake. Cards. Credentials.

On the day your Pope leaves, throw him a party. Lots of cake for everyone and make sure the ratio of cake to people is correct. Make sure there are multiple heartfelt cards wishing him well in his new endeavors. Meanwhile, as the user provisioning system is instructing its connectors to suspend (and not delete) his accounts, make sure to tactfully ask for your Pope’s smart cards, hardware OTP tokens, and any other credential materials you issued him. Yes, the user provisioning will sweep up the mess, but it’s just good form to recover those IT assets and the boys and girls in Accounting will thank you later. Oh, and don’t forget the things the provisioning system won’t likely clean up such as access to shared social media accounts. Last minute, sugary cake-induced tweets can be surprising, at best.

So the next time your Pope, CEO, President, or Grand Poohbah moves on to greener pastures, be sure to follow our easy 6 step process for a safe and successful deprovisioning.


Comments are closed


  • Jackson Shaw says:

    Ian – Seriously funny. Will their be a follow-up on provisioning a new Pope? Lots of workflow, compliance and SoD checks envisioned!

  • Ian Glazer says:

    Thanks Jackson. Hadn’t thought of making this a series. ‘The Pope’s Guide to User Provisioning’ a la Dick and Jane books. See Cardinal. See Cardinal become Pope. Go Pope go!

  • Dave Kearns says:

    Ian –

    Popes don’t “abdicate” (that’s reserved for royalty. And one normally abdicates in favor of someone else. See recent news re: Queen Beatrix). Popes “resign” – it’s a provision of Canon Law.

    Some CEO’s do abdicate, though, while some resign and others are simply shown the door. Does the method of leaving impact de-provisioning? (yes, yes it does)…

  • Robin Wilton says:

    With great respect… Tom Lehrer had a much simpler process:

    “Do what ever steps you want, if
    you have cleared them with the Pontiff…”



  • I like the fact that not only do they remove from SuperUser they smelt the rings, seals and all other credentials, same as if he were dead …

  • I liked the Office Space Milton reference. Make sure to snag the Pope’s Swingline Stapler.

  • Ian Glazer says:

    @Jimmy – you win a prize to be named later for being the first person i comment on the Office Space reference. Well played sir

  • Ian Glazer says:

    @Sal – now that is deprovisioning. When i leave an org, I want my hardware OTP smelted.

  • Don’t forget physical assets! The pointy pope hat, gold staff, and those fancy shoes are all property of the church. He can probably keep his iPhone.

  • Ian Glazer says:

    @Steve – good point about the physical assets. Although the Vatican might have a BYOD policy, I doubt they have a BYO miter hat policy.

  • Ian Glazer says:

    @dak – totally correct – jumping versus being pushed completely changes, at the least, the urgency of deprovisioning and most likely changes the method as well.

  • Paul Webster says:

    Also a case to be made to show the distinction between role and person … it is the person who is leaving while the role continues – although suspended for a while until the white smoke emerges.

    Given that the old pope will not be leaving the premises for a while, even after the new one is appointed, then even more important that privileges are aligned with the role and not the individual.

    At the point where the old pope loses infallibility then approval workflows will need to be put in place as demands become requests!

  • Ian Glazer says:

    @paul – you are on point about the distinction between role and person. I love the notion to revoking infallibility; there’s an SPML message you don’t see very often.