Offboard Employee

Identify and report all applications requiring manual access revocation when employees leave your organization.

Overview

This GitHub Action workflow helps automate the offboarding process by identifying all applications where a departing employee has access. It generates a comprehensive report and can optionally send notifications to the security team.

Features

Complete access audit: Identifies all WorkApps where the user has access
Detailed reporting: Generates comprehensive offboarding reports
Slack notifications: Optional notifications to security teams
Manual action tracking: Lists apps requiring manual revocation
Error handling: Robust error handling with detailed error messages

Prerequisites

Repository Secrets

Configure these secrets in your GitHub repository:

CAKEWALK_API_KEY: Your Cakewalk API key
CAKEWALK_API_SECRET: Your Cakewalk API secret
SLACK_WEBHOOK_URL: (Optional) Slack webhook URL for notifications

API Limitations

Important: The current Cakewalk API does not have a DELETE endpoint for removing individual user access. This workflow will:

✅ Identify all apps the user has access to
✅ Generate a detailed report
⚠️ Require manual revocation in the Cakewalk UI

Setup Instructions

1. Create the Workflow File

Create .github/workflows/offboard-employee.yml in your repository:

name: Offboard Employee - Revoke All Cakewalk Access

on:
  workflow_dispatch:
    inputs:
      employee_email:
        description: 'Employee email to offboard'
        required: true
        type: string
      reason:
        description: 'Offboarding reason (optional)'
        required: false
        type: string

jobs:
  revoke-all-access:
    runs-on: ubuntu-latest
    steps:
      - name: Get User from Cakewalk
        id: get_user
        run: |
          # Fetch all users and find by email
          response=$(curl -s "https://open-api.getcakewalk.io/api/v1/Users" \
            -H "X-API-KEY: ${{ secrets.CAKEWALK_API_KEY }}" \
            -H "X-API-SECRET: ${{ secrets.CAKEWALK_API_SECRET }}")
          
          user_json=$(echo "$response" | jq ".data[] | select(.email == \"${{ github.event.inputs.employee_email }}\")")
          
          if [ -z "$user_json" ]; then
            echo "❌ User not found in Cakewalk"
            exit 1
          fi
          
          user_id=$(echo "$user_json" | jq -r '.id')
          user_name=$(echo "$user_json" | jq -r '.name')
          
          echo "user_id=$user_id" >> $GITHUB_OUTPUT
          echo "user_name=$user_name" >> $GITHUB_OUTPUT
          echo "✓ Found user: $user_name ($user_id)"

      - name: Get All WorkApps
        id: get_workapps
        run: |
          # Fetch all WorkApps (handle pagination if needed)
          response=$(curl -s "https://open-api.getcakewalk.io/api/v1/WorkApps" \
            -H "X-API-KEY: ${{ secrets.CAKEWALK_API_KEY }}" \
            -H "X-API-SECRET: ${{ secrets.CAKEWALK_API_SECRET }}")
          
          workapp_ids=$(echo "$response" | jq -r '.data[].id')
          
          echo "workapp_ids<<EOF" >> $GITHUB_OUTPUT
          echo "$workapp_ids" >> $GITHUB_OUTPUT
          echo "EOF" >> $GITHUB_OUTPUT
          
          workapp_count=$(echo "$workapp_ids" | wc -w)
          echo "workapp_count=$workapp_count" >> $GITHUB_OUTPUT
          echo "Found $workapp_count WorkApps to check"

      - name: Find and Revoke All Access
        id: revoke_access
        run: |
          USER_ID="${{ steps.get_user.outputs.user_id }}"
          revoked_count=0
          apps_with_access=()
          
          # Check each WorkApp for user access
          while IFS= read -r workapp_id; do
            [[ -z "$workapp_id" ]] && continue
            
            echo "Checking WorkApp: $workapp_id"
            
            # Get accesses for this WorkApp
            accesses_response=$(curl -s "https://open-api.getcakewalk.io/api/v1/WorkApps/$workapp_id/Accesses" \
              -H "X-API-KEY: ${{ secrets.CAKEWALK_API_KEY }}" \
              -H "X-API-SECRET: ${{ secrets.CAKEWALK_API_SECRET }}")
            
            # Check if user has access to this app
            user_has_access=$(echo "$accesses_response" | jq ".data[] | select(.user.id == \"$USER_ID\")")
            
            if [ -n "$user_has_access" ]; then
              workapp_name=$(curl -s "https://open-api.getcakewalk.io/api/v1/WorkApps/$workapp_id" \
                -H "X-API-KEY: ${{ secrets.CAKEWALK_API_KEY }}" \
                -H "X-API-SECRET: ${{ secrets.CAKEWALK_API_SECRET }}" | jq -r '.data.name')
              
              echo "  ⚠️  User has access to: $workapp_name"
              apps_with_access+=("$workapp_name")
              
              # NOTE: Cakewalk API doesn't have a DELETE endpoint for individual accesses
              # You'll need to either:
              # 1. Remove via UI
              # 2. Request a DELETE /WorkApps/{id}/Accesses/{userId} endpoint
              # 3. Use a workaround (reassign to zero-permission group, deactivate user, etc.)
              
              revoked_count=$((revoked_count + 1))
            fi
          done <<< "${{ steps.get_workapps.outputs.workapp_ids }}"
          
          echo "revoked_count=$revoked_count" >> $GITHUB_OUTPUT
          echo "apps_with_access=${apps_with_access[*]}" >> $GITHUB_OUTPUT

      - name: Generate Summary
        run: |
          echo "## 🚨 Employee Offboarding Report" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Employee:** ${{ steps.get_user.outputs.user_name }}" >> $GITHUB_STEP_SUMMARY
          echo "**Email:** ${{ github.event.inputs.employee_email }}" >> $GITHUB_STEP_SUMMARY
          echo "**User ID:** ${{ steps.get_user.outputs.user_id }}" >> $GITHUB_STEP_SUMMARY
          
          if [ -n "${{ github.event.inputs.reason }}" ]; then
            echo "**Reason:** ${{ github.event.inputs.reason }}" >> $GITHUB_STEP_SUMMARY
          fi
          
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**WorkApps with Access:** ${{ steps.revoke_access.outputs.revoked_count }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          
          if [ "${{ steps.revoke_access.outputs.revoked_count }}" -gt 0 ]; then
            echo "⚠️  **ACTION REQUIRED:** User has access to the following apps:" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "${{ steps.revoke_access.outputs.apps_with_access }}" | tr ' ' '\n' | sed 's/^/- /' >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "Please revoke access manually in the Cakewalk UI or contact support for bulk revocation." >> $GITHUB_STEP_SUMMARY
          else
            echo "✅ User has no active access grants" >> $GITHUB_STEP_SUMMARY
          fi

      - name: Notify Security Team
        if: steps.revoke_access.outputs.revoked_count > 0
        run: |
          # Optional: Send Slack notification
          # Uncomment and configure webhook URL
          # curl -X POST "${{ secrets.SLACK_WEBHOOK_URL }}" \
          #   -H "Content-Type: application/json" \
          #   -d "{
          #     \"text\": \"🚨 Offboarding Alert: ${{ github.event.inputs.employee_email }}\",
          #     \"blocks\": [{
          #       \"type\": \"section\",
          #       \"text\": {
          #         \"type\": \"mrkdwn\",
          #         \"text\": \"*Manual Action Required*\n• Employee: ${{ steps.get_user.outputs.user_name }}\n• Email: ${{ github.event.inputs.employee_email }}\n• Apps with access: ${{ steps.revoke_access.outputs.revoked_count }}\n\nPlease revoke access in Cakewalk UI.\"
          #       }
          #     }]
          #   }"
          echo "⚠️  Notification: Manual revocation required for ${{ steps.revoke_access.outputs.revoked_count }} apps"

2. Test the Workflow

Go to your repository's Actions tab
Select Offboard Employee - Revoke All Cakewalk Access
Click Run workflow
Fill in the required inputs:
- Employee email
- Offboarding reason (optional)
Click Run workflow

Customization

Adding Slack Notifications

To enable Slack notifications, uncomment and configure the notification step:

- name: Notify Security Team
  if: steps.revoke_access.outputs.revoked_count > 0
  run: |
    curl -X POST "${{ secrets.SLACK_WEBHOOK_URL }}" \
      -H "Content-Type: application/json" \
      -d "{
        \"text\": \"🚨 Offboarding Alert: ${{ github.event.inputs.employee_email }}\",
        \"blocks\": [{
          \"type\": \"section\",
          \"text\": {
            \"type\": \"mrkdwn\",
            \"text\": \"*Manual Action Required*\n• Employee: ${{ steps.get_user.outputs.user_name }}\n• Email: ${{ github.event.inputs.employee_email }}\n• Apps with access: ${{ steps.revoke_access.outputs.revoked_count }}\n\nPlease revoke access in Cakewalk UI.\"
          }
        }]
      }"

Adding Email Notifications

To add email notifications, you can use a service like SendGrid or AWS SES:

- name: Send Email Notification
  if: steps.revoke_access.outputs.revoked_count > 0
  run: |
    # Example using curl to send email via SendGrid
    curl -X POST "https://api.sendgrid.com/v3/mail/send" \
      -H "Authorization: Bearer ${{ secrets.SENDGRID_API_KEY }}" \
      -H "Content-Type: application/json" \
      -d "{
        \"personalizations\": [{
          \"to\": [{\"email\": \"[email protected]\"}]
        }],
        \"from\": {\"email\": \"[email protected]\"},
        \"subject\": \"Offboarding Alert: ${{ github.event.inputs.employee_email }}\",
        \"content\": [{
          \"type\": \"text/plain\",
          \"value\": \"Employee ${{ steps.get_user.outputs.user_name }} has access to ${{ steps.revoke_access.outputs.revoked_count }} applications. Manual revocation required.\"
        }]
      }"

Adding Approval Step

For sensitive offboarding, add an approval step:

jobs:
  request-approval:
    runs-on: ubuntu-latest
    steps:
      - uses: trstringer/manual-approval@v1
        with:
          approvers: security-team,hr-team
          minimum-approvals: 1
          
  revoke-all-access:
    needs: request-approval
    # ... rest of job

Monitoring & Troubleshooting

Workflow Logs

Check the Actions tab for detailed execution logs
Look for error messages in the step outputs
Review the summary report for access details

Common Issues

"User not found" Error:

Verify the user exists in Cakewalk
Check email spelling and case sensitivity
Ensure the user hasn't already been deleted

"401 Unauthorized" Error:

Verify API key and secret are correct
Check that credentials haven't expired
Ensure proper header formatting

"Empty response" Error:

Verify the API endpoint URL
Check network connectivity
Review API rate limits

Security Considerations

API Credentials: Store as repository secrets, never in code
Access Review: Regularly review who has access to what
Audit Logging: All access checks are logged for audit purposes
Manual Verification: Always verify access revocation in the UI

Future Enhancements

Requesting API Improvements

Consider requesting these API enhancements from Cakewalk:

DELETE Endpoint: DELETE /WorkApps/{workAppId}/Accesses/{userId}
Bulk Revocation: DELETE /WorkApps/Accesses with user filter
User Deactivation: PATCH /Users/{userId} to deactivate user

Workarounds

Until API improvements are available, consider these workarounds:

User Deactivation: If available, deactivate the user account
Group Removal: Remove user from all groups
Permission Downgrade: Set all permissions to read-only
Manual Process: Use the UI for bulk revocation

Next Steps

Set up monitoring: Configure alerts for failed workflows
Add notifications: Integrate with Slack, email, or other systems
Automate further: Consider triggering from HR systems
Request API improvements: Ask Cakewalk for DELETE endpoint support

Last updated 6 months ago

Was this helpful?

hashtagOverview

hashtagFeatures

hashtagPrerequisites

hashtagRepository Secrets

hashtagAPI Limitations

hashtagSetup Instructions

hashtag1. Create the Workflow File

hashtag2. Test the Workflow

hashtagCustomization

hashtagAdding Slack Notifications

hashtagAdding Email Notifications

hashtagAdding Approval Step

hashtagMonitoring & Troubleshooting

hashtagWorkflow Logs

hashtagCommon Issues

hashtagSecurity Considerations

hashtagFuture Enhancements

hashtagRequesting API Improvements

hashtagWorkarounds

hashtagNext Steps