Remove the collaborator from Segment | OpsBlu Docs

Remove the collaborator from Segment

How to revoke user access and offboard team members from Segment. Covers account deletion, API key revocation, partial access removal, and security.

Use this procedure when the collaborator should be offboarded from Segment. Proper removal ensures security, maintains audit compliance, and prevents orphaned configurations in your data pipeline.

When to Remove Access

Engagement Completion

  • Project or contract ends and Segment access is no longer required
  • Deliverables completed and handoff to client team is finalized
  • Temporary support period expires after implementation
  • Client terminates services or transitions to different provider

Scope Reduction

  • Specific workspaces removed from engagement coverage
  • Partial offboarding where access to some workspaces continues but others end
  • Account consolidation where multiple service accounts merge into one

Security and Compliance Events

  • Compromised credentials requiring immediate access revocation
  • Unauthorized data access or usage detected
  • Compliance violation requiring access suspension
  • Security audit findings mandating immediate removal

Organizational Changes

  • Collaborator leaves the organization or changes roles
  • Service account decommissioning or retirement
  • SSO/SCIM migration requiring removal and re-provisioning
  • Credential rotation requiring removal and fresh invitation

Pre-Removal Planning

Before removing access, ensure business continuity:

Identify All Access Points

  1. List all Segment workspaces (production, staging, development) where the collaborator has access.
  2. Document the workspace role (Owner, Admin, Member, Read-only) for each.
  3. Identify sources and destinations they have explicit access to.
  4. Review API tokens, workspace secrets, or warehouse credentials associated with the account.
  5. Check for SSO/SCIM provisioning that may automatically restore access if not handled.

Transfer Configuration Ownership

  • Tracking Plans: Ensure client or alternative accounts can manage tracking plans created by the collaborator.
  • Destinations: Transfer ownership of destination configurations to client administrators.
  • Personas and Audiences: Reassign personas or audience definitions if managed by the account.
  • Functions: Migrate custom functions or transformations to client-owned accounts.
  • Protocols: Document protocol configurations for client handoff.
  • Warehouse Connections: Update warehouse credentials and configurations.

Document Current State

  • Capture screenshots of the Team Members page showing current access.
  • Export workspace settings showing sources, destinations, and configurations.
  • Record active integrations or pipelines managed by the collaborator's account.
  • Note any automation or scheduled tasks tied to the account.

Removal Steps

Standard Removal Process

  1. Navigate to Settings → Team Members in the relevant Segment workspace.
  2. Locate the collaborator's account in the member list.
  3. Click the actions menu (three dots) or Remove button next to their name.
  4. Review the removal confirmation dialog for dependency warnings.
  5. Choose one of the following options:
    • Remove completely to delete the member from the workspace immediately
    • Downgrade to Read-only while removing all source/destination permissions if you must retain the record temporarily for audit purposes
  6. Confirm the removal action.
  7. Repeat for each Segment workspace where the collaborator had access.
  8. Document the removal in your IAM tracker with workspace name, date, and ticket reference.

SCIM-Managed Environments

If SCIM manages user provisioning:

  1. Remove the user from the relevant identity provider group (Okta, Azure AD, etc.) first.
  2. Wait for the SCIM sync to propagate the removal to Segment (typically within 30-60 minutes).
  3. Verify the user no longer appears in Segment's Team Members list after sync completes.
  4. Manual removal in Segment without IdP changes will result in the account being re-provisioned on next sync.
  5. Document the IdP group removal alongside Segment verification.

SSO-Enabled Workspaces

For workspaces with SSO enforced:

  1. Remove the user from authorized SSO groups in your identity provider.
  2. Optionally remove them from the Segment workspace manually for immediate effect.
  3. Verify they cannot authenticate via SSO after group removal.
  4. Test SSO login to confirm access denial.
  5. Document both IdP and Segment removal steps.

Verify Complete Removal

After removing from all workspaces:

  • Confirm the account no longer appears in any workspace's Team Members list.
  • Check your workspace-to-user access matrix and mark all workspaces as "Removed."
  • Verify pending invitations are canceled if sent but never accepted.
  • Test that the account cannot log in or access any workspace.

API Token and Credential Revocation

Segment workspace access is separate from API tokens:

  1. Navigate to Settings → API Keys or Workspace Access Tokens in each workspace.
  2. Review the list of tokens and identify any created by or associated with the collaborator.
  3. Delete or rotate tokens to ensure the collaborator can no longer access data programmatically:
    • Write Keys (for source data ingestion)
    • Access Tokens (for workspace configuration API)
    • Personal Access Tokens (for CLI or programmatic access)
  4. Update all automation scripts, ETL pipelines, or integrations using those tokens.
  5. Document token rotation in your security log with date, reason, and affected systems.

Warehouse and Database Credentials

If the collaborator had data warehouse access:

  1. Rotate warehouse connection credentials (database passwords, service account keys).
  2. Update Segment's warehouse destination settings with new credentials.
  3. Remove database user accounts or service principals tied to the collaborator.
  4. Test warehouse connections after rotation to ensure data flow continues.

Documentation and Evidence

Capture Audit Trail

  • Screenshot or export the Team Members list after removal showing the collaborator no longer appears.
  • Archive screenshots from before removal for comparison.
  • Export the Audit Log from Settings → Audit Log showing the removal event.
  • Record the removal timestamp, performing administrator's name, and affected workspaces.

Update Access Records

Log the removal in your IAM tracker with:

  • Removal request ticket ID or reference number
  • Approver name and approval date
  • Actual removal date and time for each workspace
  • List of all workspaces where access was revoked
  • API tokens rotated or deleted
  • Source and destination access that was removed
  • Transition or handoff notes

Communicate Removal

  • Notify the collaborator's engagement lead that Segment access has been fully revoked.
  • Send formal confirmation email documenting the removal.
  • Update contracts or SOW documentation to reflect the offboarding.
  • Inform client stakeholders if the collaborator was known to them or had direct interaction.

Post-Removal Clean-Up

Configuration and Integration Management

  • Tracking Plans: Transfer ownership of tracking plans to client administrators or delete if no longer needed.
  • Personas and Audiences: Reassign personas or migrate to client-owned accounts.
  • Destinations: Verify destination configurations are owned by client or remaining team members.
  • Functions: Document or migrate custom functions to alternative accounts.
  • Protocols: Update protocol ownership and access controls.

Integration and Notification Settings

  • Slack Integrations: Remove the collaborator from Segment Slack channels and notification integrations.
  • Email Notifications: Cancel or reassign email alerts configured by the account.
  • Webhook Configurations: Update or remove webhooks pointing to systems managed by the collaborator.
  • PagerDuty/Opsgenie: Update alerting integrations to remove the collaborator's contact info.

Downstream System Access

  • Remove the collaborator from BI tools, data warehouses, or analytics platforms that consume Segment data.
  • Update access controls for data exports, ETL pipelines, or reverse ETL platforms.
  • Revoke access to documentation, runbooks, or internal wikis describing Segment configurations.
  • Remove from project management tools tracking Segment implementation tasks.

Credential and Secret Rotation

  • Rotate any workspace secrets, API tokens, or integration credentials the collaborator accessed.
  • Update shared password vaults to remove or rotate Segment-related credentials.
  • Review exported data files or reports shared with the collaborator and reclassify if necessary.
  • Rotate SSH keys, database passwords, or cloud credentials if warehouse access was granted.

Compliance and Audit

Regulatory Requirements

  • If GDPR, CCPA, SOC 2, or other data protection regulations apply, document the removal as part of your data access audit.
  • Retain evidence of removal for the duration required by your compliance framework (typically 3-7 years).
  • Update data processing agreements (DPAs) to reflect the collaborator's removal from data access.

Client Notifications

  • For client-facing engagements, notify the client that the collaborator no longer has access to their Segment data.
  • Provide removal confirmation in writing if requested by the client or required by contract.
  • Update data access disclosures or privacy notices if the collaborator was explicitly mentioned.

Internal Audit Trail

  • Archive removal evidence in your IAM system or document repository.
  • Include the removal in quarterly access reviews and recertification reports.
  • Track offboarding completion in your project management or ticketing system.
  • Schedule follow-up reviews to verify no residual access remains.

Emergency Removal Procedures

For immediate access revocation due to security incidents:

  1. Act Immediately: Remove from all workspaces without waiting for standard approvals.
  2. Revoke API Access: Delete or rotate all API tokens and workspace secrets the account could access.
  3. Disable SSO: Remove from IdP groups to prevent authentication.
  4. Document the Incident: Record the reason, timestamp, actions taken, and incident reference.
  5. Notify Security Team: Alert your information security team for investigation.
  6. Monitor for Anomalies: Review audit logs for recent activity, data exports, or suspicious behavior.
  7. Follow-Up Formally: Complete standard offboarding documentation after emergency response.
  8. Client Notification: Inform clients if data breach or unauthorized access occurred.

Troubleshooting Removal Issues

Can't find the collaborator in Team Members

  • Verify you're viewing the correct workspace (production vs. staging).
  • Check pending invitations in case they never accepted.
  • Confirm the email address or account identifier is correct.
  • If SCIM-managed, check the IdP for account status.
  • Review Audit Log to see if they were already removed.

Remove button grayed out or unavailable

  • Ensure you have Admin or Owner privileges for the workspace.
  • Owners can only be removed by other Owners.
  • You cannot remove yourself - ask another administrator.
  • SCIM-provisioned users must be removed via IdP, not Segment directly.

SCIM keeps re-provisioning the user

  • SCIM sync treats the IdP as the source of truth.
  • Manual removals in Segment will be undone on next sync.
  • Remove the user from IdP groups to prevent re-provisioning.
  • Verify SCIM mappings and group assignments are correct.
  • Contact your IT team to confirm IdP removal was successful.

API access continues after removal

  • API tokens are independent of team membership - delete tokens explicitly.
  • Check for additional tokens or service accounts with access.
  • Verify token deletion by testing with old credentials (should fail).
  • Review API logs to confirm access ceased after token removal.

Collaborator reports still seeing data

  • Confirm they've logged out and cleared browser cache.
  • They may have access through a different email or personal account - verify identity.
  • Check if they still have access to other workspaces you haven't removed them from.
  • Verify SSO authentication is blocked if SSO is enforced.

Workspace configurations break after removal

  • Destinations or functions owned by the account may require reassignment.
  • Transfer ownership before removal to avoid disruption.
  • Review error logs and alerts for dependency issues.
  • Restore access temporarily if critical configurations are affected, then migrate ownership properly.

Audit log doesn't show removal event

  • Refresh the Audit Log page and adjust date filters.
  • SCIM-driven removals may log differently than manual removals.
  • Export audit logs to CSV and search for the account email.
  • Contact Segment support if removal events aren't logged as expected.

Security Best Practices

  • Remove access immediately upon engagement completion - don't leave expired accounts active.
  • Perform offboarding during business hours when support is available for issue resolution.
  • Use a checklist to ensure all workspaces, API tokens, and integrations are addressed.
  • Archive removal evidence systematically for audit and compliance purposes.
  • Schedule quarterly reviews to identify and remove any overlooked accounts.
  • Implement automated alerts for dormant accounts that should be reviewed for removal.
  • Rotate all shared credentials after removing user access to prevent residual access.

After removal, consider:

  • Updating internal documentation to remove references to the collaborator's access.
  • Reviewing other analytics platforms where the collaborator may have had access.
  • Conducting access recertification for remaining active accounts.
  • Updating onboarding and offboarding runbooks if gaps were identified during this process.
  • Scheduling post-removal validation after 30 days to confirm no access restoration occurred.
Back to top