Offboarding

When someone leaves your organisation, you'll want to make sure they can no longer access any of the systems connected to Permiso. Here's a step-by-step checklist.

Offboarding checklist

1. Disable the account

Go to Settings → Administration → Users, find the user, and click Disable.

Disabling is immediate. The user will be blocked from logging in on their next attempt. Any active sessions may still be valid until they expire (depending on your session duration setting), so if you need instant revocation, see step 2.

2. Revoke active sessions (optional)

If the person has an active browser session and you need to cut it off immediately, you can revoke their sessions from the user detail page.

3. Remove from groups

Even though a disabled user can't log in, it's good practice to remove them from groups to keep your access lists accurate. Open the user's profile and remove them from any groups they were a member of.

4. Check application-specific access

Some applications manage their own permissions alongside SSO. Make sure to also remove the user's account or permissions within those applications directly. Disabling them in Permiso prevents new logins, but doesn't necessarily remove data or permissions inside the app itself.

5. Remove or expire active API keys

If the user had API keys, go to Settings → Administration → API Keys and revoke any keys they created.

Re-enabling a user

Changed your mind, or someone re-joined the company? You can re-enable a disabled account from Settings → Administration → Users at any time. Their existing passkeys and group memberships are preserved.

A note on audit history

Disabled users' account records and audit log entries are kept even after they're disabled. This means you have a complete record of their login history and actions while they were active.