Offboarding Employees

We have a generic service account that owns the top level folder in our overall organizations structure as part of box governance. Then, the department heads are co-owners with the service account, and then others are added as editors or viewers, depending on where the collaborators need to be. This eliminates the need to rearrange folders when people come and go. 

We have a different approach as only the company owns this content. We use a service account that owns the top level folders and users are restricted from creating content they own. They store their WIP docs in a user work folder that is a subfolder owned by that service account. So there is no issue when they leave the firm. I don't know how well that scales, but when we provision a new user, we designate the "userwork" folder to them as their default and restrict access to only that user and the service account that owns it.

We also utilize service accounts (one per Zone, to ensure content is Zoned properly) that owns all content at the top level.  

Thanks guys, it would seem we erred with our initial set-up, but at least i know the right path to take to in resolving this. Appreciate the guidance. 

We are also in your situation. I schedule transfers based on the amount of data to be transferred:

<50GB can be done same business day w/minimal to no interruption of access

50-100GB happens after business hours to allow for some hours of interruption

>100GB happens after hours on Fridays to allow for 1-2 days of interruption

Also, here is a training link on folder structure design and best practices: https://support.box.com/hc/en-us/articles/360052808673-Box-University-Admin-Courses-Live-Self-Paced#:~:text=Folder%20Struc[…]ractices%20and%20Design 

There is a section on "ownership" i.e. around open or closed folder structures

and a support article: https://support.box.com/hc/en-us/articles/360043695494-Plan-Your-Folder-Structure

thanks 372695546353 for the resources.

We also use a service account to own all data and control access to the root. Almost all our content has retention policies applied as well except user areas. If a folder is needed for something special/new at the root level then we handle this as a service request.

Hi, John Kelly here, Box admin for University of Notre Dame.

I'll say - I don't 100% understand the service account thing.

Let me try this scenario:

I work here at ND. I have an account - john@nd.edu. We allow John to create content under his account using Box like we do for lots of faculty/staff/students

When I leave, you have an API change everything that John owns to a service account say box-serv-account@nd.edu, correct?

Second question - if you use that same service account for when people leave, how do you know what John owns vs what Jill owns (when she leaves) vs x/y/z when those folks leave? Do you someone change the folder names that John owns when you change ownership and now a folder that was say - Dept stuff - becomes - Dept Stuff john@nd.edu - under the service account?

Third question - do you plan to eventually get rid of all of John's content from the service account - storage has a cost? If so, how do you do that since it makes any collaborators lose access?

I've heard of the service account method, but I cannot wrap my head around (a) the folder ownership and (b) when you delete the content?

At some point, we plan to delete the content for a person that leaves - in order to complete the lifecycle process. Sure, we can delete john@nd.edu after we transfer to the service account, but we don't want this content to exists forever. Plus, that service account becomes an account that has/owns lots of data. They raises risk concerns for that account.

Just trying to make sense of it all and would appreciate the wisdom of the crowd.

Thanks,

John

Thanks 233123001 good questions...I like the proposal to rename the folders and switch to a service account when the user leaves, I  am interested in thoughts from 6173771847176531142825520146380368489173 on this

Here's how we structure things:

1. At the root level, the service account owns all top level folders.
2. When we have a new user join, we create a user folder for them and any content they create that is not shared in a larger group.
3. We assign permissions to that new user folder so it is only accessible to the service account and that user.
4. When the user leaves the company, we add access to that folder for their manager for review, move and/or deletion of content.

I would add that we have a structure at the top level that looks something like this which gives us top level permissions structures that are easier to maintain:

1. "<CompanyName> Users" : this is where we create a folder for each user. Permissions are assigned to the service account and individual user. The service account has rights to this top level folder.
2. "<CompanyName> Internal" : this is where we store all shared folders that are made available to user groups. The service account has rights to this top level folder. 
3. "<CompanyName> External" : this is where we create any shares that need to be shared with external groups. Only Box Admins can create these and assign permissions. We ask the requesting party to give us a deadline on when it should expire before we remove these external shares.
4. "<CompanyName> Secure" : this is where we store sensitive content that is only accessible to smaller groups or individuals. This top level is not assigned the same permissions with a service account, but rather the head of IT to reduce exposing to a service account which is available to the rest of the team. The subfolders each have their own unique top level permissions assigned. No sharing should happen from this folder. We also set up Box alerts to notify anytime someone views or modifies the content in this top level folder.

thanks 6173771847 also fyi, this is the topic of our Hack4Good Hackathon...

What will I be solving for? The nonprofit partner is asking for an automated process on moving files and classifying them when an employee transitions.

If you are interested and need help forming a team let me know. I think we have lots of domain expertise on this thread! Signup form here

233123001 I am interested if you think 6173771847 approach could work for you...

Hi Thomas,

I don't think so - seems the setup described does not match our current setup. The setup described is well documented in the 4 items listed, but our setup for our box domain is not like this. When we create an account in box, the account will own any folder that she creates if she creates a new folder. The setup described has the service account owning the content from individual users.

Plus, we do not use groups in Box.

Their setup obviously works well for them, but unfortunately, would not work for how we currently have our setup. And it's way, way too late to adjust our setup.

I do appreciate the reply, thank you. 

I don't want to mix up 'service account' for example one created by an API (e.g. MS Teams integration) with a dedicated Box account. We use a similar structure at the root as 6173771847 and also create a 'Personal' folder for staff. When the staff member leaves employee, when we delete the Box account we assign the folder to agreed user/manager.

For Groups, as we use Azure AD for SSO, we bring across some of our security groups from Azure/Office 365. This makes for easier controls over permissions and is something that 233123001 could still do and over time introduce into their existing folder structure.

360064263008 how are you automating your content transfers you referred to previously...? thanks

1516888123561 - no. our environment cannot have generic service accounts. everything has to be set up as named user accounts. so transfers have to be made 1:1 in accordance w/HR's direction as to who was managing a termed employee at the time of termination for the purposes of understanding what client data needs to remain with them and what may need to be re-allocated to other client teams. not ideal or quick, but it works for our business continuity needs.