Remove the collaborator from Plausible | OpsBlu Docs

Remove the collaborator from Plausible

How to revoke user access and offboard team members from Plausible Analytics. Covers account deletion, API key revocation, partial access removal, and.

Complete these steps when the collaborator should no longer see Plausible data. Proper offboarding ensures security, maintains audit trails, and prevents orphaned configurations.

When to Remove Access

Engagement Completion

  • Project or contract ends and access is no longer needed
  • Deliverables completed and transition to client-managed analytics
  • Temporary support period expires
  • Client terminates services or changes providers

Scope Reduction

  • Specific sites removed from engagement coverage
  • Partial offboarding where some site access continues but others end
  • Role consolidation where multiple accounts merge into one

Security Events

  • Compromised credentials requiring immediate access revocation
  • Unauthorized data access or usage detected
  • Compliance violation requiring access suspension
  • Security audit findings mandating access removal

Organizational Changes

  • Collaborator leaves the organization or changes roles
  • Service account decommissioning or consolidation
  • Identity provider integration requiring account migration
  • Credential rotation requiring removal and re-invitation

Pre-Removal Checklist

Before removing access, prepare for business continuity:

Identify All Access Points

  1. List every Plausible site where the collaborator has access.
  2. Document the role (Administrator or Viewer) for each site.
  3. Check for API keys generated by or associated with the account.
  4. Review email subscriptions, Slack integrations, and custom alerts tied to the account.

Transfer Ownership

  • Goals and Custom Events: Ensure client administrators can manage configurations the collaborator created.
  • Email Reports: Reassign or cancel scheduled reports sent from the collaborator's account.
  • Shared Dashboards: If custom views were saved, document configurations for recreation if needed.
  • API Integrations: Migrate automations to client-owned or alternative service accounts before revoking credentials.

Document Current State

  • Capture screenshots of the Team page showing the collaborator's current access.
  • Export or record the list of goals, custom properties, and integrations managed by the account.
  • Note any active projects, debugging sessions, or configurations in progress.

Removal Steps

Remove from Individual Sites

  1. Sign in to Plausible and open the first site dashboard where the collaborator has access.
  2. Navigate to Settings → Team.
  3. Locate the collaborator's account in the member list.
  4. Click the Remove button (trash icon) next to their email address.
  5. Confirm the removal in the dialog box.
  6. Repeat steps 1-5 for each Plausible site where the collaborator had access.

Verify Complete Removal

After removing from all sites:

  • Confirm the account no longer appears in any site's Team list.
  • Check your master site-to-user access tracking spreadsheet and mark all sites as "Removed."
  • Verify pending invitations are canceled if the collaborator was invited but never accepted.

Self-Hosted Plausible Considerations

If you manage a self-hosted instance:

  • Site-level access removal in the UI is sufficient for web access.
  • Separately revoke any SSH keys or server-level credentials granted for infrastructure access.
  • Review database access, backup systems, and log files for residual permissions.
  • Rotate PostgreSQL passwords if the collaborator previously had database access.
  • Check Docker container access and remove from any relevant user groups.

Revoke API Access

Plausible API keys are separate from site team membership:

  1. Navigate to Settings → API Keys for each site.
  2. Review the list of API keys and identify any created by or shared with the collaborator.
  3. Delete or regenerate API keys to ensure the collaborator can no longer access data programmatically.
  4. Update any automation scripts, dashboards, or integrations using those keys.
  5. Document the API key rotation in your security log with the date and reason.

Cancel Pending Invitations

If invitations were sent but not yet accepted:

  1. Go to Settings → Team and scroll to the Pending Invitations section.
  2. Click Cancel on any outstanding invitations for the collaborator.
  3. Document the cancellation to avoid confusion if the invitation email is later discovered.

Documentation and Evidence

Capture Audit Trail

  • Screenshot or export the Team list after removal showing the collaborator no longer appears.
  • Archive screenshots from before removal for comparison.
  • Export Plausible audit logs if available (self-hosted instances may have server logs).
  • Record the removal timestamp and performing administrator's name.

Update Access Records

Log the removal in your IAM tracker with:

  • Removal request ticket ID or reference number
  • Approver name and approval date
  • Actual removal date and time
  • List of all sites where access was revoked
  • API keys rotated or deleted
  • Transition or handoff notes

Communicate Removal

  • Notify the collaborator's engagement lead that access has been fully revoked.
  • Send formal confirmation email documenting the removal.
  • Update your contracts or SOW documentation to reflect the offboarding.
  • Inform client stakeholders if the collaborator was known to them.

Post-Removal Clean-Up

Integration and Notification Management

  • Email Reports: Cancel or reassign any scheduled email reports that were sent to the collaborator or configured by their account.
  • Slack Notifications: Remove the collaborator from Plausible Slack integrations and channels.
  • Webhook Configurations: Update or remove webhooks pointing to systems managed by the collaborator.
  • Google Search Console: Verify integrations aren't tied to the collaborator's Google account.

Configuration Ownership

  • Custom Properties and Goals: Ensure ownership transfers to client or alternative accounts.
  • Funnels and Segments: Document configurations created by the collaborator for client reference.
  • Shared Reports: Migrate or recreate any reports that were account-specific.

Credential and Secret Rotation

  • Rotate any API tokens, webhook secrets, or integration credentials the collaborator may have accessed.
  • Update shared passwords or secrets if Plausible credentials were stored in shared vaults.
  • Review exported data files or reports shared with the collaborator and reclassify if necessary.

Downstream Systems

  • Remove the collaborator's account from BI tools, data warehouses, or reporting platforms that consume Plausible data.
  • Update access controls for any data exports, BigQuery datasets, or analytics pipelines.
  • Revoke access to documentation, runbooks, or internal wikis describing Plausible configurations.

Compliance and Audit

Regulatory Requirements

  • If GDPR, HIPAA, or other data protection regulations apply, document the removal as part of your data access audit.
  • Retain evidence of removal for the duration required by your compliance framework (typically 3-7 years).
  • Update data processing agreements or DPAs to reflect the collaborator's removal.

Client Notifications

  • For client-facing engagements, notify the client that the collaborator no longer has access to their data.
  • Provide removal confirmation in writing if requested by the client.
  • Update any data access disclosures or privacy notices if the collaborator was explicitly mentioned.

Internal Audit Trail

  • Archive removal evidence in your IAM system or document repository.
  • Include the removal in quarterly access reviews and recertification reports.
  • Track offboarding completion in your project management or ticketing system.

Emergency Removal Procedures

For immediate access revocation due to security incidents:

  1. Act Immediately: Remove from all sites without waiting for formal approvals.
  2. Revoke API Keys: Delete or regenerate all API keys the account could access.
  3. Document the Incident: Record the reason, timestamp, and actions taken.
  4. Notify Security Team: Alert your information security team for investigation.
  5. Monitor for Anomalies: Review recent activity logs for unauthorized access or data exports.
  6. Follow-Up Formally: Complete standard offboarding documentation after the emergency response.

Troubleshooting Removal Issues

Can't find the collaborator in Team list

  • Verify you're viewing the correct site - they may have access to different sites.
  • Check pending invitations in case they never accepted.
  • Confirm the email address or account identifier is correct.
  • For self-hosted, query the database directly if the UI doesn't show the account.

Remove button grayed out or unavailable

  • Ensure you have Administrator privileges for the site.
  • You cannot remove yourself - ask another administrator to perform the removal.
  • Site owner restrictions may prevent removal - contact the account owner.

API access continues after removal

  • API keys are separate from team membership - remove keys explicitly.
  • Check for additional API keys or service accounts with access.
  • Verify API key deletion by testing with the old credentials.
  • Review API logs to confirm access ceased after key removal.

Collaborator reports still seeing data

  • Confirm they're logged out and have cleared browser cache.
  • They may have access through a different email or personal account - verify account identity.
  • Check if they still have access to other sites you haven't removed them from.
  • For self-hosted, verify the database update completed successfully.

Self-hosted removal not working

  • Check PostgreSQL database for user record and permissions.
  • Review application logs for errors during removal.
  • Verify the web UI changes persist after page reload.
  • Test with a different browser or incognito mode to rule out caching.

Best Practices for Offboarding

  • Remove access immediately upon engagement completion - don't leave expired accounts active.
  • Perform offboarding during business hours when support is available if issues arise.
  • Use a checklist to ensure all sites, API keys, and integrations are addressed.
  • Archive removal evidence systematically for audit and compliance purposes.
  • Schedule quarterly reviews to identify and remove any overlooked accounts.
  • Maintain a runbook template for consistent offboarding across team members.

After removal, consider:

  • Updating internal documentation removing references to the collaborator's access.
  • Reviewing other analytics platforms where the collaborator may have had access.
  • Conducting access recertification for remaining active accounts.
  • Updating onboarding documentation if the collaborator's removal reveals process gaps.
返回顶部