You need to enable JavaScript in order to use the AI chatbot tool powered by ChatBot
Home
 >  
Case Studies
 >  

How Coherus Oncology Enforced Just-in-Time Access for Contractors and Eliminated Ghost Accounts

"We had contractors finishing engagements and their accounts staying active for months. Nobody was tracking it. CloudEagle.ai showed us various contractor accounts with no activity in 90 days. We cleaned it up in days, automated the offboarding process, and cut the tickets our IT team."

- Lisa Chamberlain, VP, Assistant Controller, Coherus Oncology

Problems
Challenge
  • Contractor accounts were created for engagements but never deactivated when the work ended, leaving active access with no one behind it.
  • No central view of which contractor accounts were still active, for how long, or what they had access to.
  • IT found out about contractor departures through informal channels, not a reliable process, so deprovisioning happened late or not at all.

Solutions
Solution
  • CloudEagle.ai surfaced every contractor account across the SaaS stack, flagging accounts with no recent activity alongside their access history.
  • Time-Based Access set an automatic end date on every contractor account at the point of provisioning, so access expired automatically.
  • Automated offboarding triggered deprovisioning the moment a contractor's end date passed, with no manual follow-up required from IT.

Profit
Result
  • All contractor access moved to a time-bound, automated system, eliminating ghost accounts and closing a major security gap.
  • Over 340 orphaned contractor accounts were removed, with all new access automatically expiring once work is done.
  • Contractor offboarding became near real-time. Average contractor deprovision time dropped from 3 weeks to 12 hours.

Challenge

Coherus Oncology worked with a large and rotating contractor base across technology, compliance, and operations. Every new engagement meant new accounts across Jira, Confluence, GitHub, Salesforce, and a range of internal tools.

Provisioning was straightforward. Deprovisioning was not. When a contractor finished an engagement, their account stayed active until someone from IT was informed and acted on it.

Over time the problem compounded. Accounts built up across the SaaS stack with no active user behind them. These were not just a tidiness problem.
Each one represented active access to systems and data belonging to someone who no longer worked with the company.

IT had no central view of how many of these accounts existed, how long they had been dormant, or what they could access.

Solution
  • Joiner-Mover-Leaver automation connected contractor start and end dates from the HRIS to provisioning and deprovisioning workflows, so access was removed automatically.
  • Time-Based Access set an expiry date on every contractor account at the point of creation, so access lapsed on schedule without IT needing to track each engagement manually.
  • SaaS & AI Discovery surfaced every active contractor account across the stack, flagging accounts with no activity in 90 days alongside a full view of what each account could access.
  • User Access Reviews ran continuously across contractor accounts, so any account that slipped through the automated process was caught and reviewed.
  • Privileged Access Visibility flagged contractor accounts with access beyond what their role required, so over-provisioned accounts were identified and scoped down.

Why CloudEagle.ai?

Coherus evaluated several solutions and chose CloudEagle.ai for these reasons:

  • Visibility in days, not months, multiple discovery sources including IdP, MDM, and browser surface every contractor account across the full stack, not just apps behind SSO.
  • Insight to action without manual follow-up, access removed automatically the moment an engagement ends, connected to HRIS data. No ticket, no reminder, no IT intervention.
  • End-to-end lifecycle management, manages the full contractor identity lifecycle from provisioning to expiry to deprovisioning, not just one slice of it.
  • Continuous access reviews catch what automation misses: any account that slips through the process is surfaced before it sits dormant for months.

Impact

Ghost Accounts Eliminated

  • 340 contractor accounts with no active usage identified and removed within the first week.
  • Every dormant account reviewed for access scope before removal, with a record kept for audit purposes.
  • IT no longer relies on informal notification from project managers to know when a contractor has left.

Just-in-Time Access Enforced

  • Every contractor account now provisioned with an automatic expiry date tied to their engagement end date.
  • Access expires on time without IT intervention, no tickets, no reminders, no manual follow-up.
  • Contractors who extend their engagement have access renewed through a defined request and approval workflow, not an ad-hoc email.

Sustained Clean Access Posture

  • Average contractor deprovision time dropped from 3 weeks to 12 hours as the process moved from manual to automated.
  • IT tickets related to contractor offboarding dropped by 80%, freeing the team for higher-priority work.
  • Audit evidence generated automatically as a byproduct of every provisioning and deprovisioning action, so contractor access history is always reviewable.

The Transformation

Before CloudEagle
Contractor accounts created for each engagement with no automatic expiry.
Deprovisioning dependent on informal notification from project teams, often late or missed entirely.
No central view of which contractor accounts were active, dormant, or over-provisioned.
Ghost accounts building up across the SaaS stack with active access and no user behind them.
Deprovision process taking up to 3 weeks from contractor exit to access removal.
After CloudEagle
Check box
Every contractor account provisioned with a time-based expiry tied to their engagement end date.
Check box
Deprovisioning triggered automatically the moment an engagement ends, no manual follow-up required.
Check box
Full view of every contractor account across the SaaS stack, with activity, access scope, and expiry date in one place.
Check box
Zero ghost accounts, dormant access surfaced continuously and removed before it accumulates.
Check box
Average deprovision time down from 3 weeks to 12 hours, with IT tickets for contractor offboarding down 80%.

Achieve similar success with CloudEagle!

Book a demoContact us

Other case studies

How Homelane Rightsized Their M365 E5 Licenses and Reclaimed Enterprise Spend
Benchling Cut App Request Tickets by Launching a Self-Service Catalog Employees Actually Use
How Domo Got Usage and Spend Visibility into Claude, Gemini, and Cursor