Skip to content
d-centralize handbook

Offboarding an employee

  • These steps are performed by a d-centralize admin to offboard an existing employee.

Removing a user

Section titled “Removing a user”

When a contract has ended, perform the following actions to properly disable access and relieve the employee of any responsibilities.

The onboarding sync tool reaps several of these. In onboarding/users.yaml drop cuda-dev / wireguard from the user’s services (and clear vpn_devices), then run uv run sync_users.py --apply: this deletes their cuda-dev container(s) and VPN peer(s), and removing them from users.yaml entirely reaps their Vaultwarden membership. mailcow and Keycloak are add-only, so disable those manually below.

  • Key agreement: draft a key returned agreement using inContract.
  • Remove the user from the Loqed app.
  • Mailcow account: Set account to inactive. User can not log in, email can also not be delivered anymore. Delete user a year later.
  • Keycloak: log in to Keycloak admin, select the d-centralize realm, and disable the user under Users so SSO-backed services stop accepting new logins.
  • Mattermost: manage members through https://mattermost.d-centralize.nl/admin_console/user_management/users. Deactivate account. Delete profile a year later.
  • Mail Inphos support to remove access to Wi-Fi login and service portal.
  • GitLab: block the user through https://gitlab.d-centralize.nl/admin/users. Delete user a year later.
  • Clockify: Deactivate user from team, one year later, remove user.
  • Vaultwarden: login as admin. Organisations, select dc, members. Revoke access of user, remove user a year later.
  • VPN: drop wireguard from their services (and clear vpn_devices) and run uv run sync_users.py --service wireguard --apply — WireGuardSync removes the router peer(s) and the Bitwarden item(s).
  • Nextcloud: On the user list, select “Disable account”, remove user a year later.
  • cuda-dev box: drop cuda-dev from their services and run uv run sync_users.py --service cuda-dev --apply — CudaDevSync deletes the dev-<localpart> container(s) on every host and the Bitwarden SSH-key item. (Any legacy shell account on the hosts is removed with sudo deluser --remove-home <first name> on cuda-dev / cuda-dev2.)