runbookify
← All plans
Facilities, Assets & IT Operations / Access & Provisioning Requests

Offboarding & Deprovisioning Checklist

Build an internal tool that fires the moment a departure is logged: it pulls everything the leaver can access and everything they were issued, generates a risk-ranked revoke/recover checklist, and tracks every item to confirmed completion - so no account, app, laptop, badge, or key ever stays open after someone walks out the door.

IntermediateA weekendBuilds onNext.js (App Router) on VercelSupabase (Postgres, Storage, Auth + RLS)Resend (assignment notifications, reminders, completion alerts)
What you'll build

A login-protected offboarding tool: log a departure and it assembles every bit of access and every asset the leaver holds, generates a risk-ranked revoke/recover checklist (admin and finance access first), routes it for a security/IT lead to review and confirm each item, enforces mandatory items before the leaver can be closed, dedupes on leaver ID so nobody is offboarded twice, and produces an offboarding report plus a CSV of revocation tasks ready for your IAM/identity team.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.

Before you start

  • A free Vercel account
  • A free Supabase account
  • A free Resend account (and a sender address you can use)
  • An access register - who has access to which systems/apps (CSV/Google Sheet)
  • An asset register - which laptops/badges/keys/phones are assigned to whom (CSV/Google Sheet)
  • A departures list with each person's last day (CSV/Google Sheet)

The problem this kills

Someone leaves the company. HR knows on Tuesday, IT finds out on Friday, and three weeks later a security review turns up the leaver's account still active in the finance system, their admin login still working, a company laptop nobody got back, and a building badge that still opens the side door. Nobody did anything wrong on purpose - the offboarding just lived in five different heads, a couple of email threads, and a checklist someone forgot to finish.

Offboarding is the most dangerous gap in most companies. The person you're removing knew where things were and had real access - and every day an account stays live after they leave is a day a former employee (or anyone who gets hold of their password) can get in. The work is genuinely hard to track: their access is scattered across a dozen apps, their assets are scattered across desks and drawers, and "is it actually shut off?" gets answered with a shrug. The same departure gets half-processed twice, the risky stuff (admin, finance, customer data) gets treated the same as the low-risk stuff, and when the auditor asks "prove this person's access was fully revoked," you can't.

This tool turns offboarding from a scramble into a closed loop: log the departure, see everything they hold, work down a risk-ranked list, confirm each shutdown, and prove it's done.

What you'll build

A small internal web app, just for your team, that:

  • Lets you log a departure - the leaver, their last day, and reason - and instantly treats it as the trigger for everything else.
  • Reads your access register and your asset register and assembles the full picture: every system/app the leaver can reach, and every laptop, badge, key, phone, or device they were issued.
  • Generates the offboarding checklist automatically - a revoke task for each access item, a recover task for each asset, plus reassign-data tasks where the leaver owned files, mailboxes, or records.
  • Ranks the checklist by risk so the scary stuff goes first: admin rights, finance and payroll systems, customer data, and anything that opens a door get worked before the low-risk items.
  • Routes the checklist to a security/IT lead who reviews and confirms each revocation and recovery before it's marked complete - the tool tracks, a human confirms.
  • Enforces mandatory items: the leaver can't be marked fully offboarded until every critical item is confirmed done.
  • Dedupes on leaver ID so the same person can't be offboarded twice in parallel.
  • Produces a clean offboarding report per leaver and a CSV of revocation tasks in the exact columns your IAM/identity team expects.

What's inside the Implementation Plan

The plan is a single markdown file you paste into Claude Code (a free AI coding agent). It walks the agent through building the whole tool, step by step, each step ending with a ready-to-paste prompt - no coding knowledge needed on your part.

The most important part: the plan opens by interviewing you about your business. Before it writes a single line, the agent asks how departures reach you today, who runs offboarding, what's in your access and asset registers, how your data is named and coded (employee IDs, system names, asset tags), your typical and peak volumes, exactly what counts as a "critical" item that blocks close, and your messy edge cases (a contractor with no manager, a shared admin login, a leaver who owned a key spreadsheet, a same-day involuntary exit). It reads a short tailored spec back to you, you confirm it, and only then does it build - so you get a tool shaped to your offboarding process, not a generic template you have to fight.

Inside you'll find:

  • The discovery interview and how the agent turns your answers into the data model.
  • The full build: database, login, the departure log, the assembler that pulls access + assets, the risk-ranking engine, the checklist screens, the human confirm gate, the mandatory-items rule, the email flow, and the report + CSV export.
  • The hard human-in-the-loop confirmation gate and the "can't close until critical items are done" enforcement.
  • Verification steps so you can prove it works, and the CSV-export fallback so it's fully usable today - even before you connect it to your identity or HR system.

The governance it includes (this is the point)

This isn't a toy. The plan builds in the controls an IT security team actually needs:

  • Login so only your team can see or touch anything.
  • Row-level security so people only ever see their own organization's offboarding data.
  • A complete audit trail - every departure logged, every task generated, every confirmation, every reassignment, with who and when.
  • A hard human-in-the-loop gate - the AI assembles and drafts the checklist, but a security/IT lead must confirm each revocation and recovery; nothing is marked done automatically, and critical items must be confirmed before the leaver can be closed.
  • Duplicate guards so the same leaver can't be offboarded twice and the same task isn't processed twice.

Who it's for

IT security and IAM (identity & access management) coordinators, IT help-desk staff, HR / people-ops who kick off departures, and facilities teams responsible for recovering badges, keys, and assets. If your offboarding lives in scattered checklists and email threads, if accounts stay live for weeks after people leave, and if you could never prove a leaver was fully shut down - this is for you. You don't need to write code or buy a heavyweight identity platform. You need your access register, your asset register, your departures list, and an afternoon-to-a-weekend.

You've got this - paste the first prompt and let the agent interview you.

Gated download

Enter your email — the plan downloads instantly and a copy lands in your inbox.

By submitting your email you'll also receive the weekly runbookify newsletter. You can unsubscribe at any time.