Remove the collaborator from Chartbeat | OpsBlu Docs

Remove the collaborator from Chartbeat

How to revoke user access and offboard team members from Chartbeat. Covers account deletion, API key revocation, partial access removal, and security.

Complete these steps when the collaborator should no longer have access to Chartbeat data and dashboards. Timely access removal is critical for security compliance and prevents unauthorized data exposure after engagement completion.

When to Remove Access

User removal should occur in these situations:

Engagement Completion

  • Project ends: The statement of work completes and the collaborator's services are no longer required.
  • Contract termination: Business relationship ends, requiring immediate access revocation.
  • Transition to new team: Another agency or internal team assumes responsibility for analytics.
  • Scope reduction: The engagement continues but no longer includes Chartbeat-related work.

Security and Compliance

  • Access review findings: Quarterly audits identify inactive or unnecessary accounts.
  • Security incident: Potential compromise requires precautionary credential revocation.
  • Policy violation: User activity breaches acceptable use or data handling policies.
  • Legal hold: Legal, HR, or compliance departments request access suspension.

Organizational Changes

  • Staff turnover: The collaborator employee who used the account left their organization.
  • Role change: The individual moved to a different role not requiring analytics access.
  • Company acquisition: Organizational changes make existing access arrangements obsolete.

Understanding Removal Options

Chartbeat provides two methods for revoking access, each with different implications:

Option 1: Complete User Deletion

  • Effect: Permanently removes the user account from your Chartbeat organization.
  • When to use: The account will never be needed again, or the email address may be reused for a different person.
  • Implications:
    • User history is retained in audit logs but the account cannot be restored.
    • Dashboards, alerts, and saved views created by this user remain but show "Former User" as owner.
    • API tokens generated for this account are immediately invalidated.
  • Irreversible: Once deleted, you must create a completely new account to re-grant access.

Option 2: Role and Permission Revocation

  • Effect: Maintains the user record but removes all meaningful access.
  • When to use: You want to preserve the account for audit purposes or may restore access in the future.
  • Process:
    • Change role to User (lowest privilege level).
    • Uncheck all site groups and individual site permissions.
    • The account remains in the system but cannot view any data.
  • Advantages: Can be quickly restored if needed; maintains complete audit trail.

Most organizations prefer Option 1 for permanent departures and Option 2 for temporary suspensions or access reviews.

Removal Workflow

Follow these steps to revoke access securely and completely:

1. Verify Authorization

Before removing access, ensure proper approval:

  • Confirm the removal request came from an authorized source (engagement manager, security team, legal).
  • Verify you have a ticket number, email approval, or documented business reason.
  • Check that you possess Account Administrator rights in Chartbeat.
  • Review the user's current permissions to understand what will be revoked.

2. Document Current State

Capture evidence of the user's access before removal:

  • Navigate to Settings → Users and open the collaborator's account.
  • Take a screenshot showing:
    • Current role (Administrator or User)
    • Assigned sites and site groups
    • Last login date/time (if available)
    • Creation date and who added the account
  • Export the full user list as CSV for comprehensive documentation.
  • Note any custom dashboards, alerts, or integrations associated with this account.

3. Transfer Ownership

Before removing the account, reassign assets the collaborator created:

Dashboards and Saved Views:

  • Identify custom dashboard layouts created by the collaborator.
  • Recreate important views under a client administrator account.
  • Document any unique configurations or bookmarks that should be preserved.

Alerts and Notifications:

  • Review active alerts managed by the collaborator's account.
  • Reassign ownership to an internal administrator.
  • Update notification recipients to remove the collaborator's email address.

API Integrations:

  • List any API tokens or webhooks using the collaborator's credentials.
  • Generate replacement tokens under a service account before revocation.
  • Test integrations with new credentials to prevent data pipeline failures.

Email Distribution Lists:

  • Check automated reports sent to the collaborator's email.
  • Remove the address from distribution lists to avoid bounce-backs.
  • Update scheduled exports to use current team members.

4. Remove Access in Chartbeat

Now remove the account using your chosen method:

For Complete Deletion:

  1. Open Settings → Users and locate the collaborator's account.
  2. Click Remove User or the delete icon (typically a trash can).
  3. Confirm the deletion when prompted with "Are you sure?"
  4. Verify the account disappears from the Active Users list.
  5. Check that the user count decreases by one.

For Permission Revocation (preserving the account):

  1. Open Settings → Users and click the collaborator's name.
  2. Change the Role to User (or the lowest permission level available).
  3. Uncheck all site groups and individual sites in the permissions section.
  4. Add a note: "Access revoked [date] per [ticket number]."
  5. Click Save Changes.
  6. Verify the account shows zero site permissions.

5. Remove SSO or IdP Access

If your organization uses single sign-on or identity provider provisioning:

  • Log into your IdP administration console (Okta, Azure AD, etc.).
  • Remove the collaborator from Chartbeat-related groups or role assignments.
  • Verify automatic provisioning won't recreate the account on next sync.
  • Disable the user in the IdP if they're leaving the organization entirely.
  • Test that SSO login no longer works for this account.

6. Verify Removal

Confirm access is fully revoked:

  • User no longer appears in Settings → Users → Active Users.
  • Or, if retained, user shows zero site permissions and lowest role.
  • SSO login attempts fail with "access denied" or "user not authorized."
  • API tokens previously belonging to this account return 401/403 errors.
  • Automated reports no longer send to the collaborator's email address.
  • Slack or webhook notifications don't tag the collaborator.

Ask the collaborator to attempt login (if appropriate) to verify they receive an "access denied" message.

Evidence and Recordkeeping

Maintain comprehensive documentation of the removal for compliance and audit purposes:

Required Documentation

Capture these artifacts and store them according to your retention policy:

  • Before-state screenshot: User profile showing role and permissions before removal.
  • After-state screenshot: Updated user list or blank permissions showing removal.
  • CSV export: Full user list with timestamp showing the account is gone or depermissioned.
  • Approval record: Email, ticket, or signed form authorizing the removal.
  • Communication log: Email confirmation sent to the collaborator and their engagement lead.

IAM Tracker Update

Record these details in your access management system:

  • Date and time of removal
  • Administrator who performed the removal
  • Requestor name and contact information
  • Approver name and authorization method
  • Ticket or reference number
  • Business justification (e.g., "Engagement completed on 2025-12-15")
  • Method used (deletion vs. permission revocation)
  • Sites and role that were removed

Notification and Communication

Send confirmation emails to relevant stakeholders:

To the Collaborator's Organization:

Subject: Chartbeat Access Removed for [name]

We have removed Chartbeat access for [account email] as of [date]
per [ticket number/engagement completion].

The account no longer has access to any Chartbeat sites or dashboards.

If you believe this was done in error, please contact [your name/team]
within 5 business days.

To Internal Stakeholders:

  • Notify your security team or compliance officer that the removal is complete.
  • Update your project closeout documentation with access revocation confirmation.
  • Record the removal in any client-facing engagement summary reports.

Post-Removal Clean-Up Tasks

After removing the account, complete these additional security and administrative tasks:

Credential Rotation

  • API keys: Rotate any Chartbeat API keys that were generated for or shared with the collaborator's account.
  • Shared passwords: If the account used a shared login (non-SSO), change the password immediately.
  • Webhook secrets: Regenerate webhook verification tokens if the collaborator had access to integration configurations.
  • Service accounts: Review and rotate credentials for any automated processes the collaborator helped configure.

Integration Verification

Test that critical integrations continue functioning after removal:

  • Data pipelines: Verify scheduled exports or ETL jobs complete successfully.
  • Dashboards: Check that third-party dashboards (Tableau, Looker, Google Sheets) still update.
  • Alerts: Confirm monitoring alerts and notifications still fire correctly.
  • API consumers: Test applications that call the Chartbeat API to ensure no disruption.

Distribution List Updates

Remove the collaborator from these communication channels:

  • Email digests and automated report recipients
  • Slack channels or webhook notifications
  • Escalation procedures or on-call rotations
  • Documentation sharing lists (Google Drive, Confluence)
  • Scheduled meeting invites for reporting reviews

Access Review Schedule

Update your ongoing access management processes:

  • Remove the user from your next quarterly access review checklist.
  • Update site group membership counts in your documentation.
  • Adjust billing projections if user licensing fees apply.
  • Archive the removal documentation with your engagement closure records.

Troubleshooting

User Appears to Still Have Access

If the collaborator reports they can still log in after removal:

  • Verify you saved changes after editing permissions (look for success confirmation message).
  • Check if multiple accounts exist with similar email addresses.
  • Confirm SSO/IdP changes have propagated (may take up to 1 hour for sync).
  • Clear browser cache and cookies, then attempt login again.
  • Check if the user has access to a different Chartbeat organization (if you manage multiple).

API Tokens Still Work

If API calls succeed after account removal:

  • API tokens may have a grace period before expiration (up to 24 hours).
  • Check if another user account generated the token in question.
  • Explicitly revoke tokens in Settings → API rather than relying on user deletion.
  • Verify the token wasn't copied to a service account before removal.

Dashboards Show "Former User" Errors

If removing the account broke shared dashboards:

  • This is expected behavior when deleting accounts that created custom views.
  • Recreate critical dashboards under a current administrator account.
  • Chartbeat Support can sometimes migrate dashboard ownership; contact them if needed.
  • Document dashboard configurations before future user removals to simplify recreation.

SSO Account Reappears Automatically

If the account reappears in Chartbeat after SSO login:

  • Verify the user was removed from all relevant IdP groups, not just Chartbeat-specific ones.
  • Check your SSO provisioning settings for automatic account creation rules.
  • Disable "just-in-time provisioning" if it's creating accounts on first SSO login.
  • Contact Chartbeat Support to disable SSO auto-provisioning for specific email domains.

Need to Restore Access Quickly

If the removal was done in error and needs immediate reversal:

  • If you used permission revocation (not deletion), simply re-enable sites and role.
  • If you deleted the account, you must send a new invitation and reconfigure permissions from scratch.
  • SSO users can be restored by re-adding to IdP groups (may take up to 1 hour).
  • Contact the collaborator immediately to explain the disruption and provide updated timeline.

Best Practices

Preventive Measures

  • Schedule access reviews quarterly to catch accounts that should be removed.
  • Use site groups to simplify bulk removal when entire teams offboard.
  • Implement a "30-day notice" policy for planned access removals to allow gradual transition.
  • Maintain a "service account" separate from individual users for critical integrations.

Compliance Considerations

  • Most data privacy regulations (GDPR, CCPA) require timely access revocation upon engagement completion.
  • SOC 2 and ISO 27001 audits examine access removal procedures and evidence.
  • Maintain removal documentation for at least 7 years or per your industry requirements.
  • Include access removal checklists in your offboarding runbooks.

Communication Tips

  • Remove access first, notify second - don't give advance warning that could enable data exfiltration.
  • Keep removal notifications professional and neutral; avoid implying wrongdoing.
  • Provide a contact person for questions about the removal.
  • For long-term collaborators, consider a courtesy call before sending the notification email.
Nach oben