figma guide
Designing member offboarding and deprovisioning UI in Figma: removal, transfer, and handoff
Design member offboarding and deprovisioning UI in Figma with remove member flows, content transfer, SCIM deprovision, seat reclaim, and Dev Mode specs for enterprise admin.
- Published
- Updated
- Jul 13, 2026
- Read time
- 7 min
- Level
- Intermediate
Quick answer
Member offboarding removes or suspends access when someone leaves—triggered manually by admins, via SCIM, or automated after session timeout policies. Design a remove member modal with content transfer (reassign files, projects, billing ownership); suspend vs remove states on the member list; SCIM deprovision sync indicators; last-owner guards; and seat reclaim tied to org billing. Log member.removed, member.suspended, and transfer actions to audit activity. Revoke API keys, sessions, and connected accounts on removal. Start from the Figma guides hub and pair with Dev Mode handoff for offboarding state machine specs.
Who this is for
- Product designers building People tabs, security consoles, and IT admin workflows for departing employees.
- Design system teams aligning manual removal with automated directory deprovision.
- Engineers implementing soft delete, content reassignment, webhook events, and compliance retention.
Offboarding triggers
| Trigger | Initiator | Typical latency | UI surfacing |
|---|---|---|---|
| Manual remove | Org admin | Immediate | People → member row |
| SCIM deprovision | IdP / IT | Seconds–minutes | SCIM status + member badge |
| Self-delete account | User | Immediate | Account settings (consumer) |
| Contract end | Scheduled job | Date-based | Rare—enterprise add-on |
| Security lockout | Admin / automated | Immediate | Link to account recovery |
Verdict: manual and SCIM paths should converge on the same removal modal where possible—admins see consistent transfer options whether IT or People admin initiated.
Suspend vs remove vs deactivate
| State | Access | Seat | Reversible | Use when |
|---|---|---|---|---|
| Active | Full | Consumed | — | Default |
| Suspended | Blocked login | Often still consumed | Yes | Investigation, leave |
| Removed | No access | Freed (usually) | Re-invite only | Left company |
| Deactivated (SCIM) | Same as removed | Policy-dependent | IdP reactivate | Directory-driven |
MemberStatusBadge
├── Active (green)
├── Suspended (amber) — "Login disabled"
└── Removed (gray) — hidden from default list
Suspended members should appear in a Suspended filter with Reactivate and Remove permanently actions—not vanish silently.
Remove member modal
| Step | UI | Required? |
|---|---|---|
| 1. Confirm who | Name, email, role, teams | Yes |
| 2. Content transfer | Reassign owner dropdown per resource type | If they own assets |
| 3. Billing impact | ”Frees 1 seat on next cycle” | If applicable |
| 4. Final confirm | Type REMOVE or checkbox | Enterprise |
RemoveMemberModal
├── Warning: "Alex will lose access immediately"
├── OwnedResourcesSummary
│ ├── 12 projects → Reassign to [ Admin ▼ ]
│ ├── 3 billing contacts → Reassign required
│ └── API keys (2) → Revoke all
├── SeatLine: "Seat available for new invite"
└── Confirm: [ Cancel ] [ Remove member ]
Block removal if sole Owner without ownership transfer step first.
Content transfer patterns
| Asset type | Transfer UI | If skipped |
|---|---|---|
| Owned projects | Pick new owner from admins | Orphan → org admin |
| Published libraries | Reassign maintainer | Unpublish warning |
| Draft billing contact | Required pick | Block remove |
| Personal API keys | Auto-revoke list | Security default |
| Shared drafts | Optional bulk move | Stay with org |
| Comments / mentions | Read-only history | Keep attribution |
Show resource count before confirm—admins underestimate owned projects.
TransferSection
├── Projects (12) — [ Select new owner ]
├── Libraries (2) — [ Select maintainer ]
└── ☑ Revoke all personal API keys and sessions
Link to API keys and active sessions for detail drill-down.
Last owner and role guards
| Guard | Condition | UI |
|---|---|---|
| Last Owner | Only one Owner left | Block; force promote another |
| Last Billing Admin | Invoices unassigned | Pick replacement |
| SCIM immutable Owner | IdP owns role | ”Change in directory” message |
| Self-remove Owner | Owner tries leave | Same as last owner |
LastOwnerBlocked
├── "You are the only Owner of Acme Org"
├── Promote [ member dropdown ]
└── [ Transfer ownership and continue ]
Pair with custom roles when “Admin” can almost-but-not-quite own billing.
SCIM deprovisioning UI
When SCIM marks user inactive:
| UI element | Spec |
|---|---|
| Member badge | ”Deprovisioned via SCIM” |
| Source | Azure AD / Okta group name |
| Timestamp | Sync time |
| Manual override | Disabled or “Break-glass” for support |
| Reactivate | Grayed unless IdP re-adds |
SCIM deprovision row on member detail:
Directory sync
├── Status: Deprovisioned
├── Source: Okta — "Engineering" group removed
├── Last sync: 2 min ago
└── Content transferred to: Jane Admin (auto-policy)
Document auto-transfer policy in org Security settings—default reassign to org owner vs suspend with orphan assets.
Seat reclaim and billing
| Billing model | When seat frees | UI copy |
|---|---|---|
| Active seat count | On remove | ”1 seat available now” |
| Annual prepaid | Seat freed; no auto-refund | ”Seat available; billing unchanged until renewal” |
| True-up | Next true-up window | Link org billing |
After remove, show Invite replacement CTA if seats available—closes loop with invitations.
Security cascade on removal
Immediately on remove (spec for engineering handoff):
| Asset | Action |
|---|---|
| Sessions | Invalidate all |
| API keys / PATs | Revoke |
| OAuth tokens | Revoke connected apps |
| Webhooks | Disable user-created |
| 2FA / passkeys | Cleared on account delete only—not always on org remove |
| Pending invites sent by user | Optional cancel |
Show checklist in modal footer: “Also revokes 2 active sessions and 1 API key.”
Offboarding communications
| Audience | Message | Channel |
|---|---|---|
| Removed user | Access ended, contact admin | Email (optional) |
| Admins | ”Alex was removed by Jane” | In-app + audit |
| New asset owners | ”You now own Project X” | Email digest |
| IT (SCIM) | Webhook user.deleted | API |
Do not email removed users their old data export link unless privacy export policy requires—separate compliance flow.
Bulk offboarding
Enterprise scenarios: layoffs, team dissolution.
| Step | UI |
|---|---|
| Select members | Checkbox column on People table |
| Bulk action | Remove selected |
| Transfer defaults | One admin for all projects |
| Progress | Job queue with per-user errors |
| Report | CSV download of failures |
Partial failure must list who succeeded vs failed—never silent half-complete.
Retention and legal hold
| Policy | UI |
|---|---|
| Soft delete 30d | ”Recoverable until Aug 12” (admin-only) |
| Legal hold | Block remove; badge on member |
| Export before remove | Link to GDPR export |
| Hard delete | Support-only; type org name |
If legal hold, removal modal shows:
This user is under legal hold. Removal is blocked.
Contact compliance@acme.com or [ View hold details ]
Common mistakes
| Mistake | Why it hurts | Fix |
|---|---|---|
| Remove without transfer | Orphan projects | Required reassignment |
| Allow last owner delete | Org lockout | Hard guard + promote flow |
| SCIM and manual fight | Double remove errors | Idempotent API + status badge |
| Seat freed but UI stale | Wrong invite enable | Refresh billing widget |
| No session revoke | Ex-employee still in | Cascade list in modal |
| Suspend hidden | Ghost members | Suspended filter tab |
| No audit trail | SOC2 fail | Log actor, transfers, source |
| Generic “removed” email | Phishing suspicion | Named admin + org |
| Bulk remove no progress | Admin panic | Job UI + error CSV |
| API keys survive remove | Credential leak | Auto-revoke default on |
Recommended workflow
- Design remove modal with owned-resource summary and transfer pickers.
- Add last-owner and billing-admin guards with promote flows.
- Build suspended state on member list separate from removed.
- Wire SCIM deprovision badge and auto-transfer policy settings.
- Prototype security cascade copy (sessions, keys, OAuth).
- Add bulk remove with progress and failure report for enterprise.
- Hand off state machine, webhook payloads, and retention enums in Dev Mode.
FAQ
Suspend or remove for parental leave?
Suspend preserves seat and assets; remove frees seat. HR products often need suspend with optional auto-reactivate date—enterprise nice-to-have.
What happens to comments after remove?
Keep attribution as “Former member” or display name snapshot—do not rewrite history to “Deleted user” without legal review.
Can removed members rejoin via same email?
Yes via new invite or SCIM re-add. Clear old group memberships unless restored from soft delete.
Deprovision vs delete in SCIM?
Map IdP behavior in admin docs. Deactivate often = suspend; delete = remove. UI labels should match IT expectations.
Export data on admin-initiated remove?
Optional org policy. Consumer: user self-serve export. Enterprise: admin-triggered export before remove—link privacy settings.
Next steps
- Design member invitations and pending invites UI in Figma — re-invite after removal
- Design SCIM and directory sync UI in Figma — automated deprovision path
- Design team member roles and permissions UI in Figma — ownership transfer before remove
- Design active sessions and device management UI in Figma — session invalidation on offboard
- Design audit log and security activity UI in Figma — removal and transfer events
§ Keep reading