Learn

Checklist

Employee Onboarding Checklist for SaaS Companies

Employee Onboarding Checklist for SaaS Companies

Employee Onboarding Checklist for SaaS Companies

A phase-by-phase IT-access onboarding checklist for SaaS teams on Google Workspace: the right access on day one, nothing extra, no IT team required.

A phase-by-phase IT-access onboarding checklist for SaaS teams on Google Workspace: the right access on day one, nothing extra, no IT team required.

Julien Monguillot

Julien Monguillot

Julien Monguillot

Co-Founder

Co-Founder

Co-Founder

Created:

Created:

Created:

Learn

Employee onboarding is everything that gets a new hire ready to do their job, from the offer letter to their first productive week. For a software company running on cloud tools, the part that matters most, and breaks most often, is the IT-access slice: giving the new person the right Google Workspace account, the right apps, and the right group memberships so they can work from day one without getting access they should never have.

What employee onboarding means for a SaaS company

That access slice is where onboarding quietly fails. A new engineer waits two days for a GitHub seat. A salesperson gets dropped into every Google Group by default because copying someone else’s access was faster than thinking about it. Six months later nobody remembers why they can see the finance drive.

A good onboarding process closes both gaps at once. The right access on day one, and nothing extra.

Getting it right is also a retention problem, not just an IT one. Gallup found that only 12% of employees strongly agree their organization does a great job onboarding new people, while Brandon Hall Group research links a strong onboarding process to 82% better new-hire retention. The first week sets the tone. A laptop that works and access that is ready says the company has its act together.

This checklist covers the IT-access side, phase by phase, so a non-technical operator can run it without an IT team.

Before day one

The goal of this phase is simple. When the new hire logs in on their first morning, everything works. That only happens if the prep is done a few days early.

Order hardware and confirm the delivery date

What: order the laptop, monitor, and any peripherals, and confirm they arrive before the start date.

Why: hardware shipping is the single most common reason a first day stalls. Everything else can be fixed in minutes, but a laptop in transit cannot.

How: place the order at least a week out for standard kit, longer for anything custom. Track the delivery against the start date and have a backup loaner ready if it slips.

Create the accounts, but keep them dormant

What: pre-create the Google Workspace account and any critical app accounts so they exist before day one.

Why: creating accounts ahead of time lets the new hire start the moment they sit down, instead of waiting on you to click through admin screens while they watch.

How: in the Google Admin console, create the user under Directory then Users. Leave the account ready but unannounced until the start date.

Brief the manager and set up the first day

What: confirm the manager knows the start date, has a first-week plan, and knows which apps and groups the role needs.

Why: access decisions should come from the role, not from guesswork. The manager is the person who knows what this hire actually needs to touch.

How: send the manager a short checklist of the apps, drives, and groups tied to the role, and ask them to confirm or correct it before day one.

Day one

This is the phase people picture when they think of onboarding. The aim is to get the new hire logged in, secured, and working inside the first hour.

Activate the Google Workspace account

What: hand over the Google Workspace login and walk the new hire through first sign-in.

Why: the Google Workspace account is the front door to everything else. Email, calendar, drive, and most connected apps key off it.

How: share the temporary credentials over a secure channel, require a password reset on first login, and confirm they can reach Gmail and Calendar.

Give access to the right apps and groups

What: add the new hire to the apps, shared drives, and Google Groups their role needs, and nothing more.

Why: this is the step that decides whether onboarding finishes clean or leaves a mess. Copying another person’s access is fast and almost always wrong, because it carries over permissions that were never meant for this role. This rule has a name: least privilege. Give each person only what their role needs, nothing more.

How: work from the role-based list the manager confirmed. Add the person to each Google Group, grant the named app access, and check the list against the role rather than against a colleague’s account. Group-based access is far easier to keep accurate than per-person grants, because the group already encodes who should have what.

Turn on multi-factor authentication

What: require multi-factor authentication (MFA) on the Google Workspace account before the new hire does any real work.

Why: a single compromised login is the most common way an attacker gets into a SaaS stack. MFA closes that door, and the cleanest moment to set it up is at first sign-in.

How: enforce two-step verification in the Google Admin console under Security, and have the new hire register an authenticator app or security key during their first login.

First week

By the end of week one the new hire should have steady, correct access and a working understanding of the security basics. This phase is about confirming the foundation, not adding more on top.

Confirm role-based access is correct

What: review what the new hire can actually reach against what their role should allow.

Why: day-one access often includes a few things added in haste. Catching that in the first week is cheap. Catching it in an audit a year later is not.

How: pull up the person’s group memberships and app access, compare them to the role definition, and remove anything that does not belong. Working from the role rather than the person is role-based access control, and it is what keeps access reviewable a year from now instead of a mystery.

Cover the security basics

What: walk the new hire through password hygiene, phishing awareness, and how to report a suspicious message.

Why: most security incidents at smaller companies start with a person, not a system. Fifteen minutes of plain guidance in week one prevents the common mistakes.

How: keep it short and practical. Show a real phishing example, point to the password manager, and give them one clear channel to flag anything odd.

Run the tool training that matters

What: give focused training on the two or three tools the role lives in, not a tour of everything.

Why: a new hire does not need a walkthrough of every app on day three. They need to be fluent in the handful they will use every day.

How: pair them with a teammate for a short working session in each core tool, and skip the generic all-hands software demo.

The 30-day check

Onboarding is not finished when the new hire is working. It is finished when their access is confirmed correct and the extras are gone. This phase is the one almost everyone skips, and it is where access sprawl begins.

Verify access is still right

What: re-check the new hire’s app and group access 30 days in, now that you know what the role actually touches.

Why: the first month reveals the gap between what you guessed the role needed and what it really uses. This is the moment to close that gap while it is small.

How: review their access list again, add anything they have been blocked on, and note anything that has gone unused.

Remove what is unused

What: revoke any app seats or group memberships the new hire has not touched in their first month.

Why: every unused grant is both a cost and a risk. Idle SaaS seats inflate the bill, and access nobody uses is access nobody is watching.

How: check usage in your app dashboards, pull the new hire out of any group or seat with no activity, and free those seats for reassignment.

The other half: offboarding

Everything you grant on day one is something you have to take back on the last day. The access you tracked carefully is easy to remove. What you added in a hurry and never reviewed is what gets left behind.

That is where the risk sits. A leaver keeps a Google Workspace account live for weeks after they are gone. A shared drive still lists someone who left in March. An app seat keeps billing because nobody told the tool the person had left. The same habit that drives access sprawl during onboarding, copying access and skipping the review, is what makes offboarding leak.

The fix is the same one. If access was built from the role and kept to the role, removing it is one clean pass instead of a hunt through every app. Run that same map in reverse and offboarding finishes, instead of leaking for months.

Where onboarding usually breaks

Even teams with a checklist tend to miss the same things:

  • Access copied from a colleague instead of built from the role, which quietly carries over permissions the new hire was never meant to have.

  • The 30-day review, skipped because the person is already working, which leaves day-one over-grants in place forever.

  • Group memberships, added by hand and never audited, so the same role gets different access depending on who set it up.

  • Contractor and part-time access, set up fast and never tied to a clean offboarding date.

Doing this automatically

Run this checklist by hand for one hire a quarter and it is manageable. Now do the math for a company hiring two or three people a month. Each new hire means a Google Workspace account, a dozen or so app grants, several Google Groups and a handful of shared drives, then a day-one pass, a first-week review and a 30-day check on top. That is well over fifty small access decisions a month, every one of which has to be exactly right, owned by someone who never signed up to be IT.

Automated onboarding closes that gap. Instead of clicking through the Google Admin console for every hire, you define access once per role. When someone joins, group-based and role-based access is given automatically across their Google Workspace account and connected apps, and the 30-day drift you would normally miss is far easier to catch because the access map is visible in one place.

ShiftControl does this for companies on Google Workspace, as part of the same lifecycle that handles offboarding. Onboarding in minutes, offboarding that actually finishes, no IT team required. ShiftControl works inside your Google Workspace, so the person who got handed IT can run it without learning how. You will need Google Workspace admin access to connect it, but no IT expertise to operate it. See how automated onboarding works, or take a tour of the product.

Frequently asked questions

What is the difference between onboarding and IT provisioning?

Onboarding is the whole experience of getting a new hire ready, including the manager plan, training, and culture. IT provisioning is the access slice within it: the Google Workspace account, the apps, and the group memberships. Provisioning is the part that breaks most often and the part this checklist focuses on.

What access should a new hire get on day one?

Only what their role requires, defined before they start. That means their Google Workspace account, the two or three apps they will use daily, and the specific Google Groups tied to the role. Resist copying a colleague’s access, because it almost always carries over permissions the new role was never meant to have.

How does onboarding affect employee retention?

A strong onboarding experience improves new-hire retention by 82%, according to Brandon Hall Group. The first week signals whether the company is organized. A working laptop and access that is ready on the first morning builds early confidence, while a stalled setup does the opposite and is hard to recover from.

Do we need an IT team to onboard people properly?

No. A non-technical operator on Google Workspace can run this checklist with the admin console alone. Tools like ShiftControl let you define access once per role and give it automatically, so a founder, ops, or People lead can run onboarding without IT expertise, using their existing Google Workspace admin access.

Why does access keep growing over time?

Access grows because grants get added in a hurry and almost never get reviewed. A day-one over-grant becomes permanent the moment onboarding is declared done. The fix is the 30-day check, where you confirm access against the role and remove anything unused before it turns into permanent sprawl.

How long should onboarding take to set up access?

Account activation, app access, group membership, and MFA should take minutes on day one if the prep is done. The full access picture settles over the first month, which is why the 30-day review matters. Done by hand it is fragile; done automatically per role it is consistent every time.

Key takeaways

  • Onboarding has four phases for access: before day one, day one, first week, and a 30-day check. Most teams stop after day one.

  • Build access from the role, never by copying a colleague. Copying is the source of permissions nobody can later explain.

  • Group-based and role-based access is easier to keep correct than per-person grants, and it is what makes automation possible.

  • The 30-day review is the step almost everyone skips, and the one that prevents access sprawl and wasted SaaS spend.

  • Strong onboarding lifts new-hire retention by 82%, so the first week is a business outcome, not just an IT task.

Want onboarding that runs itself for every hire? Talk to us.

Get started

Experience SaaS management as it should be: straightforward management and robust security with ShiftControl.

Get started

Experience SaaS management as it should be: straightforward management and robust security with ShiftControl.