Remove the collaborator from Heap Analytics | OpsBlu Docs

Remove the collaborator from Heap Analytics

How to revoke user access and offboard team members from Heap. Covers account deletion, API key revocation, partial access removal, and security.

Use this procedure when the collaborator should be removed from Heap. Timely deprovisioning is essential for data security, compliance with privacy regulations, and preventing unauthorized access after engagement completion.

When to Remove Access

Remove user access in these situations:

  • Project completion: The statement of work concludes and the collaborator's services are no longer required.
  • Contract termination: Business relationship ends, requiring immediate access revocation across all projects.
  • Scope change: The engagement continues but Heap analytics work is removed from the collaborator's responsibilities.
  • Transition to new provider: Another agency or internal team assumes Heap management duties.

Security and Compliance Events

  • Access review findings: Quarterly audits identify inactive accounts or excessive permissions.
  • Security incident: Potential credential compromise requires precautionary account suspension.
  • Policy violation: User activity violates data handling policies or acceptable use terms.
  • Regulatory requirement: Legal, compliance, or data privacy teams mandate access removal.

Organizational Changes

  • Staff turnover: The individual who used the account left the collaborator's organization.
  • Role change: The collaborator's responsibilities shifted away from analytics work.
  • Company merger or acquisition: Organizational changes make existing access arrangements obsolete.

Understanding Removal Options

Heap provides two primary methods for revoking access:

Option 1: Complete Member Deletion

  • Effect: Permanently removes the user account from your Heap organization.
  • When to use: The account will never be needed again, or for permanent offboarding.
  • Implications:
    • User history appears in audit logs but the account cannot be restored.
    • Dashboards, saved analyses, and reports created by the user remain but show as "created by removed user."
    • Project-level permissions are immediately revoked across all projects.
    • API tokens and authentication credentials are instantly invalidated.
  • Irreversibility: Cannot be undone; requires a new invitation to restore access.

Option 2: Permission Revocation (Account Preservation)

  • Effect: Removes all meaningful permissions while preserving the account record.
  • When to use: For temporary suspensions, audit trail preservation, or potential future restoration.
  • Process:
    • Change organization role to the lowest available level.
    • Unassign all project access.
    • The account remains in the system but cannot access any data.
  • Advantages:
    • Can be quickly restored by reassigning permissions.
    • Maintains complete audit trail and created content ownership.
    • Useful for temporary access holds pending investigation.

Most organizations use Option 1 for permanent departures and Option 2 for temporary holds or when audit requirements mandate preserving account records.

Removal Workflow

Follow these steps to securely revoke Heap access:

1. Verify Authorization and Preparation

Before removing access:

  • Confirm authorization via email approval, ticket number, or engagement manager request.
  • Verify you have Organization Admin privileges in Heap.
  • Review the user's current organization role and project assignments to understand what will be removed.
  • Check for any pending work or analyses the user created that need to be completed or transferred.

2. Document Current Access State

Capture evidence before making changes:

  • Navigate to Account → Manage → Members.
  • Locate the collaborator's account and click to view details.
  • Take screenshots showing:
    • Organization role (Organization Admin or Member)
    • Project assignments and project-level roles
    • Last activity timestamp
    • Date the account was created and by whom
  • Export the complete member list as CSV or PDF for comprehensive documentation.
  • Note any dashboards, reports, or tracking plans the user created or owns.

3. Transfer Ownership and Content

Before removing the account, preserve critical work:

Dashboards and Saved Analyses:

  • Identify key dashboards and analyses created by the collaborator.
  • Duplicate important analyses to an administrator or client account.
  • Document unique chart configurations, segment definitions, or funnel setups.
  • Export any critical reports that may be difficult to recreate.

Tracking Plans and Data Definitions:

  • If the user contributed to tracking plans, ensure documentation exists elsewhere.
  • Transfer ownership of custom event definitions or properties to a permanent account.
  • Verify data governance rules created by the user are still valid and assigned to appropriate owners.

SQL Lab Queries and Data Exports:

  • Save any SQL queries the user created if they're still valuable.
  • Document scheduled data exports or automated reporting the user configured.
  • Transfer ownership of data warehouse integrations or destination configurations.

API Integrations:

  • List API tokens, service accounts, or automation workflows using the user's credentials.
  • Generate replacement tokens under a service account before removal.
  • Test integrations with new credentials to prevent downstream failures.

4. Remove Heap Access

Execute the removal using your chosen method:

For Complete Deletion:

  1. Go to Account → Manage → Members.
  2. Locate the collaborator's account in the member list.
  3. Click the three-dot menu (⋮) or Actions button next to the user.
  4. Select Remove Member or Delete User.
  5. Confirm the deletion when prompted ("Are you sure you want to remove this member?").
  6. Verify the account disappears from the member list.
  7. Check that the total member count decreased by one.

For Permission Revocation (preserving the account):

  1. Go to Account → Manage → Members and click the user's name.
  2. Change the Organization Role to Member (lowest privilege level).
  3. Under Project Access, click Edit for each assigned project.
  4. Unassign all projects or set the role to the lowest level ("Viewer" if available, or remove entirely).
  5. Save changes for each project.
  6. Add a note in the account: "Access revoked [date] per [ticket/SOW reference]."
  7. Save the member profile.
  8. Verify the user shows zero project assignments.

5. Remove SSO/SCIM Provisioning

If using identity provider integration:

  • Log into your IdP administration console (Okta, Azure AD, OneLogin, etc.).
  • Remove the user from Heap-related groups or role assignments.
  • If using SCIM automated provisioning, confirm the user won't be auto-recreated on next sync.
  • Disable the user account in the IdP if they're fully departing the organization.
  • Force a manual SCIM sync if available to ensure immediate deprovisioning.
  • Test that SSO login fails with an appropriate error message.

6. Verify Complete Removal

Confirm access is fully revoked:

  • User no longer appears in Account → Manage → Members active list.
  • Or, if preserved, user shows zero project access and lowest organization role.
  • SSO login attempts fail with "user not authorized" or similar message.
  • API tokens previously owned by the account return 401 Unauthorized errors.
  • Automated exports or scheduled reports no longer send to the user's email.
  • Heap notification integrations (Slack, webhooks) no longer mention the user.
  • The collaborator confirms (if appropriate) they cannot access Heap.

7. Update Documentation and Records

Maintain compliance documentation:

  • Update your access management tracker with:
    • Removal date and time
    • Administrator who performed the removal
    • Requestor and approver names
    • Ticket or reference number
    • Business justification
    • Method used (deletion vs. permission revocation)
    • Projects and roles that were removed
  • Store before/after screenshots with engagement closure documentation.
  • Archive the removal confirmation email.
  • Update contract files and SOW tracking systems.

Evidence and Recordkeeping

Required Documentation

Capture and retain these artifacts per your compliance requirements:

Access Evidence:

  • Before-state screenshot showing user's organization role and project access
  • After-state screenshot showing user removed or depermissioned
  • CSV export of member list with timestamp (before and after)
  • Heap audit log entries documenting the removal action

Approval Records:

  • Email approval from engagement manager or authorized requestor
  • Ticket number from ITSM system documenting the request
  • SOW reference or contract amendment authorizing removal

Communication Logs:

  • Confirmation email sent to the collaborator's organization
  • Internal notification to security or compliance teams
  • Project closure documentation noting access removal

Audit Log Review

Heap maintains detailed audit logs accessible via Account → Audit Log:

  • Filter for the removed user's email address.
  • Review their activity history to understand what they accessed.
  • Export relevant log entries showing:
    • Login history and timestamps
    • Projects accessed and actions performed
    • Changes made to tracking plans or data definitions
    • Data exports or API calls executed
  • Archive these logs with your engagement documentation for compliance purposes.

Post-Removal Clean-Up Tasks

Credential and Integration Management

After removing the account:

API Token Rotation:

  • Invalidate any Heap API tokens associated with the removed account.
  • Generate new tokens under a dedicated service account.
  • Update downstream systems (data warehouses, BI tools, automation workflows) with new credentials.
  • Test all integrations to ensure they function correctly.

Webhook and Notification Updates:

  • Remove the user's email from Slack integration mentions.
  • Update email distribution lists for automated Heap reports.
  • Modify alert configurations to remove the user as a recipient.
  • Check Heap's integrations with tools like Segment, Salesforce, or marketing platforms.

Data Export and SQL Lab:

  • Revoke database credentials if the user had direct SQL Lab access.
  • Update scheduled data exports to remove the user's email.
  • Verify data warehouse integrations aren't using the removed user's authentication.

Content and Asset Management

Preserve or reassign user-created content:

Dashboards and Reports:

  • Audit dashboards created by the removed user that are still in active use.
  • Duplicate critical dashboards to an administrator account.
  • Archive or delete obsolete dashboards to reduce clutter.
  • Update dashboard descriptions to reflect new ownership.

Saved Analyses and Segments:

  • Review saved analyses (funnels, retention, user segments) the user created.
  • Transfer valuable analyses to permanent team members.
  • Document any unique methodologies or configurations for future reference.

Tracking Plans and Governance:

  • If the user contributed to tracking plan documentation, ensure it's preserved.
  • Reassign ownership of custom event definitions to a client administrator.
  • Update data governance rules if the removed user was listed as a data steward.

Communication and Notification

Notify relevant stakeholders:

To the Collaborator's Organization:

Subject: Heap Analytics Access Removed for [User Name]

We have removed Heap access for [account email] as of [date]
per [engagement completion/ticket number].

The account no longer has access to any Heap projects or data.

All dashboards and analyses created by this user have been
preserved and transferred to [new owner if applicable].

If you believe this was done in error, please contact
[your name/team] within 5 business days.

Internal Notifications:

  • Inform your security or compliance team of the successful removal.
  • Update engagement closeout documentation.
  • Notify the project manager or account lead that access has been revoked.
  • Document the removal in client status reports if applicable.

Troubleshooting

User Still Has Access After Removal

If the collaborator reports they can still log in:

  • Verify changes were saved (look for success confirmation message in Heap).
  • Check for multiple accounts with similar email addresses (e.g., gmail.com vs. googlemail.com).
  • Confirm SSO/SCIM changes have propagated (may take up to 1 hour for full sync).
  • Ask the user to clear browser cache/cookies and attempt login again.
  • Verify they're not accessing a different Heap organization (check the subdomain).
  • Check if cached credentials or saved sessions are allowing temporary access.

API Tokens Continue Working

If API calls succeed after account removal:

  • Heap API tokens may have a brief grace period (up to 30 minutes) before full invalidation.
  • Check if another account generated the token in question.
  • Explicitly revoke tokens via Account → Settings → API Tokens rather than relying on user deletion.
  • Verify the token wasn't previously copied to a service account before removal.
  • Review your application's token caching behavior.

Dashboards Break After User Removal

If removing the account causes dashboard errors:

  • This typically occurs when dashboards reference user-specific saved segments or filters.
  • Recreate affected dashboards under an administrator account before removing users.
  • Use organization-wide segments instead of user-specific ones for shared dashboards.
  • Contact Heap Support to migrate dashboard ownership if critical content is affected.
  • Document dashboard dependencies during onboarding to prevent future issues.

SCIM Automatically Recreates the Account

If the account reappears after SCIM synchronization:

  • Verify the user was removed from all Heap-related groups in your IdP, not just one.
  • Check SCIM provisioning settings in Account → Settings → Security → SCIM.
  • Disable "auto-provisioning" or "just-in-time provisioning" for the specific user/group.
  • Review IdP group membership rules for dynamic assignment logic.
  • Manually deprovision the user in your IdP before removing in Heap.
  • Contact Heap Support to troubleshoot SCIM configuration issues.

Need to Restore Access Quickly

If removal was in error and requires urgent reversal:

  • If you used permission revocation (not deletion), simply reassign the organization role and projects.
  • If you fully deleted the account, send a new invitation and manually reconfigure all permissions.
  • For SSO/SCIM users, re-add to IdP groups and wait for sync (or force manual sync).
  • Restored users may lose personalized settings (bookmarks, saved views).
  • Communicate the disruption to the collaborator with apology and updated timeline.

Tracking Plan Changes Lost

If removing a user affects tracking plan integrity:

  • This shouldn't happen with proper Heap configuration, as tracking plans are organization-level.
  • Check Heap's audit log for any tracking plan changes made immediately before removal.
  • Restore from audit history if available via Account → Audit Log → Tracking Plan.
  • Contact Heap Support for assistance recovering tracking plan definitions.
  • Implement a process to export tracking plans before major user lifecycle changes.

Best Practices

Security and Compliance

  • Remove access within 24 hours of engagement completion or termination notice.
  • Conduct quarterly access reviews to identify orphaned accounts.
  • Use SCIM automated deprovisioning to reduce manual errors and delays.
  • Maintain detailed removal documentation for 7+ years per compliance requirements.
  • Implement separation of duties: different admins for granting vs. revoking access when possible.

Operational Excellence

  • Create a standardized offboarding checklist specific to Heap.
  • Document dashboard dependencies during user onboarding to simplify cleanup.
  • Use service accounts for critical integrations instead of individual user accounts.
  • Schedule access removal during low-activity periods to minimize disruption.
  • Perform dry runs of removal process with test accounts to identify potential issues.

Communication

  • Provide 2-week notice to collaborators when access will be removed (if contractually appropriate).
  • Remove access first, notify second - avoid advance warning that could enable data exfiltration in security scenarios.
  • Keep removal notifications professional and neutral.
  • Offer a 5-day window for the collaborator to dispute erroneous removals.
  • Document all removal communications in your engagement files.

Prevention

  • Set expiration reminders at the time of initial user invitation.
  • Use role-based access with groups instead of individual permissions for easier bulk management.
  • Implement "least privilege" from day one to minimize cleanup complexity.
  • Create Heap "contractor" projects separate from production for easy bulk access revocation.
  • Tag temporary accounts in your IAM tracker for proactive monitoring.
Nach oben