Securely remove a departing employee's access while maintaining audit trail and preventing disruption to team workflows.
Critical: Security Checklist
Immediate Actions (Do First)
- Disable User Account
PUT /admin/api/users/user-123{ "enabled": false}- Revoke All API Keys
x
# List user's keysGET /admin/api/users/user-123/api-keys# Delete each keyDELETE /admin/api/users/api-keys/AK-abc123DELETE /admin/api/users/api-keys/AK-def456- Remove from All Groups
PUT /admin/api/users/user-123/remove-groups{ "groupIds": [ "group-data-eng", "group-pipeline-owners", "group-prod-access" ]}Timeline: Complete within 1 hour of departure notification
Complete Offboarding Workflow
Step 1: Document Current Access
# Get full user detailsGET /admin/api/users/user-123# Get rolesGET /authz/api/v1/users/user-123/roles# Get API keysGET /admin/api/users/user-123/api-keysSave this for audit trail and handover documentation.
Step 2: Disable Account (Don't Delete)
PUT /admin/api/users/user-123{ "enabled": false, "attributes": { "status": ["OFFBOARDED"], "offboardDate": ["2024-12-05"], "reason": ["Voluntary - New Job"], "handedOffTo": ["replacement@company.com"] }}Why not delete?
- Preserves audit history
- Maintains data lineage
- Compliance requirements
- Can reactivate if they return
Step 3: Revoke API Keys
# Get all keysGET /admin/api/users/user-123/api-keys# Revoke eachDELETE /admin/api/users/api-keys/AK-key1DELETE /admin/api/users/api-keys/AK-key2Step 4: Remove Group Memberships
PUT /admin/api/users/user-123/remove-groups{ "groupIds": ["all", "groups", "user", "was", "in"]}Step 5: Verify Access Removed
# Should return empty/minimal permissionsGET /authz/api/v1/users/permissions?userId=user-123# Should show enabled: falseGET /admin/api/users/user-123Step 6: Update Ownership
Transfer ownership of resources created by departing user:
# Update pipeline metadataPUT /torch-pipeline/api/pipelines{ "meta": { "owner": "replacement@company.com" }}Emergency Offboarding
If user leaves unexpectedly or security incident:
# 1. Immediate disable (2 minutes)PUT /admin/api/users/user-123 {"enabled": false}# 2. Mass revoke (5 minutes)DELETE /admin/api/users/api-keys/AK-* (all keys)# 3. Group removal (3 minutes)PUT /admin/api/users/user-123/remove-groups {"groupIds": [...all]}# Total time: 10 minutesAPIs Used
PUT /admin/api/users/:userId- Disable accountGET /admin/api/users/:userId/api-keys- List keysDELETE /admin/api/users/api-keys/:accessKey- Revoke keysPUT /admin/api/users/:userId/remove-groups- Remove accessGET /authz/api/v1/users/permissions- Verify removal
Was this page helpful?
On This Page
Offboard a UserCritical: Security ChecklistImmediate Actions (Do First)Complete Offboarding WorkflowStep 1: Document Current AccessStep 2: Disable Account (Don't Delete)Step 3: Revoke API KeysStep 4: Remove Group MembershipsStep 5: Verify Access RemovedStep 6: Update OwnershipEmergency OffboardingAPIs Used