arazzo: 1.0.1
info:
  title: Google Workspace Offboard a User
  summary: Suspend a departing user, sign them out of all sessions, and confirm the state.
  description: >-
    A safe offboarding flow that does not delete the account outright. The
    workflow patches the user to a suspended state, signs the user out of every
    active web and device session to immediately revoke access, and then reads
    the user back to confirm the suspension took effect. Every step spells out
    its request inline so the flow can be read and executed without opening the
    underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: directoryApi
  url: ../openapi/admin-sdk-directory-api.yml
  type: openapi
workflows:
- workflowId: offboard-user
  summary: Suspend a user, revoke their sessions, and verify the suspension.
  description: >-
    Patches the user resource to suspended, signs the user out of all sessions
    to revoke active access, and fetches the user to confirm the suspended flag
    is set.
  inputs:
    type: object
    required:
    - accessToken
    - userKey
    properties:
      accessToken:
        type: string
        description: OAuth 2.0 bearer access token with the admin.directory.user scope.
      userKey:
        type: string
        description: Primary email, alias, or unique id of the user to offboard.
      suspensionReason:
        type: string
        description: Optional note recorded as the reason for suspension.
        default: Offboarded
  steps:
  - stepId: suspendUser
    description: >-
      Patch the user to a suspended state so they can no longer sign in, while
      leaving the rest of the profile intact.
    operationId: patchUser
    parameters:
    - name: userKey
      in: path
      value: $inputs.userKey
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    requestBody:
      contentType: application/json
      payload:
        suspended: true
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/id
      suspended: $response.body#/suspended
  - stepId: signOutUser
    description: >-
      Sign the user out of all active web and device sessions and reset their
      sign-in cookies to immediately revoke access.
    operationId: signOutUser
    parameters:
    - name: userKey
      in: path
      value: $inputs.userKey
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 204
  - stepId: confirmSuspended
    description: >-
      Read the user back to confirm the suspended flag is set before completing
      the offboarding flow.
    operationId: getUser
    parameters:
    - name: userKey
      in: path
      value: $inputs.userKey
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      userId: $response.body#/id
      suspended: $response.body#/suspended
  outputs:
    userId: $steps.confirmSuspended.outputs.userId
    suspended: $steps.confirmSuspended.outputs.suspended