Remove the collaborator from Mixpanel | OpsBlu Docs

Remove the collaborator from Mixpanel

How to revoke user access and offboard team members from Mixpanel. Covers account deletion, API key revocation, partial access removal, and security.

Use this runbook to deprovision the collaborator from Mixpanel. Timely access removal is critical for data security, compliance, and preventing unauthorized access after engagement completion.

When to Remove Access

Remove access in these situations:

  • Project completion: Statement of work concludes and services are no longer needed
  • Contract termination: Business relationship ends requiring immediate revocation
  • Scope change: Engagement continues but Mixpanel work is removed from scope
  • Transition: Another agency or internal team assumes Mixpanel responsibilities

Security and Compliance

  • Access review findings: Quarterly audits identify inactive or excessive permissions
  • Security incident: Credential compromise requires precautionary suspension
  • Policy violation: User activity breaches data handling or acceptable use policies
  • Regulatory requirement: Legal or compliance teams mandate removal

Organizational Changes

  • Staff turnover: Individual using the account left the collaborator's organization
  • Role change: Person's responsibilities shifted away from analytics
  • Company merger/acquisition: Organizational changes make access obsolete

Understanding Removal Options

Mixpanel provides two methods for revoking access:

Option 1: Complete Member Deletion

  • Effect: Permanently removes the account from your organization
  • When to use: Account will never be needed again or for permanent offboarding
  • Implications: User history in audit logs but account cannot be restored; dashboards/reports remain but show "created by removed user"; API tokens instantly invalidated
  • Irreversible: Cannot be undone; requires new invitation to restore

Option 2: Permission Revocation

  • Effect: Removes permissions while preserving account record
  • When to use: Temporary suspensions or audit trail preservation
  • Process: Change organization role to lowest level, clear all project access
  • Advantages: Quickly restored; maintains complete audit trail

Most organizations use Option 1 for permanent departures and Option 2 for temporary holds or audit requirements.

Removal Workflow

1. Verify Authorization

  • Confirm authorization via email, ticket, or engagement manager request
  • Verify you have Organization Admin privileges
  • Review user's current role and project assignments
  • Check for pending work needing completion or transfer

2. Document Current State

  • Navigate to Organization Settings → Members
  • Locate collaborator's account and view details
  • Screenshot: organization role, project assignments, last activity, creation date
  • Export member list as CSV
  • Note dashboards, reports, or cohorts user created

3. Transfer Ownership

Before removal, preserve critical work:

  • Dashboards/Reports: Duplicate important content to admin account; export critical reports
  • Cohorts/Segments: Transfer valuable cohorts; document definitions
  • Data Pipelines: Transfer ownership of integrations/exports; document configurations
  • API Integrations: Generate replacement tokens under service account; test new credentials

4. Remove Access

For Complete Deletion:

  1. Go to Organization Settings → Members
  2. Locate collaborator's account
  3. Click three-dot menu or Actions
  4. Select Remove Member or Delete
  5. Confirm deletion
  6. Verify account disappears from list

For Permission Revocation:

  1. Go to Organization Settings → Members
  2. Click user's name
  3. Change role to None or lowest level
  4. Remove all project access
  5. Add note: "Access revoked [date] per [ticket]"
  6. Verify zero project assignments

5. Remove SSO/SCIM Access

  • Log into IdP console (Okta, Azure AD, etc.)
  • Remove user from Mixpanel groups/roles
  • Confirm SCIM won't auto-recreate
  • Force manual sync if available
  • Test SSO login fails

6. Verify Removal

  • User not in active member list (or shows zero projects)
  • SSO login fails
  • API tokens return 401 errors
  • Automated reports don't send to user
  • Notifications don't mention user

7. Update Documentation

  • Update IAM tracker: removal date, administrator, requestor, approver, ticket, justification, method, projects removed
  • Store before/after screenshots
  • Archive removal confirmation

Evidence and Recordkeeping

Required Documentation

  • Access Evidence: Before/after screenshots, CSV exports, audit log entries
  • Approval Records: Email approvals, ticket numbers, SOW references
  • Communication Logs: Confirmation emails

Audit Log Review

Access via Organization Settings → Activity Log or Audit Log:

  • Filter for removed user's email
  • Review activity history
  • Export entries (logins, actions, changes, exports)
  • Archive with engagement docs

Post-Removal Clean-Up

Credential Management

  • API Tokens: Invalidate and generate new under service account
  • Webhooks: Remove user from Slack integrations; update distribution lists
  • Data Export: Revoke Data Warehouse credentials; update scheduled exports

Content Management

  • Audit dashboards/cohorts created by removed user
  • Duplicate critical content to admin
  • Archive/delete obsolete items
  • Update ownership descriptions

Communication

To Collaborator:

Subject: Mixpanel Access Removed for [Name]

We have removed Mixpanel access for [email] as of [date]
per [engagement completion/ticket].

Dashboards created have been preserved and transferred
to [new owner if applicable].

If this was done in error, contact [team] within 5 business days.

Internal: Inform security team, update closeout docs, notify project manager

Troubleshooting

User Still Has Access

  • Verify changes saved
  • Check for multiple similar accounts
  • Confirm SSO/SCIM propagated (up to 1 hour)
  • Ask user to clear cache and retry
  • Check cached credentials

API Tokens Still Work

  • Tokens may have grace period (30 minutes)
  • Explicitly revoke in Settings → API Tokens
  • Verify token not copied to service account

Dashboards Break

  • Occurs with user-specific segments
  • Recreate under admin before removing
  • Use org-wide segments
  • Contact Mixpanel Support

SCIM Recreates Account

  • Verify removed from all IdP groups
  • Check SCIM settings
  • Disable auto-provisioning
  • Review IdP dynamic rules

Need Quick Restore

  • If revoked: reassign role and projects
  • If deleted: send new invitation
  • For SSO: re-add to IdP groups

Best Practices

Security

  • Remove within 24 hours of completion
  • Quarterly access reviews
  • Use SCIM automated deprovisioning
  • Maintain docs for 7+ years
  • Separation of duties for granting vs. revoking

Operations

  • Standardized offboarding checklist
  • Document dashboard dependencies
  • Use service accounts for integrations
  • Schedule removals during low-activity
  • Dry runs with test accounts

Communication

  • 2-week notice when appropriate
  • Remove first, notify second (security scenarios)
  • Professional, neutral notifications
  • 5-day dispute window
  • Document all communications

Prevention

  • Set expiration reminders at invitation
  • Role-based access with groups
  • Least privilege from start
  • Separate contractor projects
  • Tag temporary accounts in tracker
返回顶部