Note: This article only applies to Community Admins, Brand Super Admins, or applicable custom roles. For more details on Studio access, please refer to the Defining Roles and Restrictions article.
When a user should no longer have access to your community (such as separated employees), the user must be deactivated in the Firstup platform in order to terminate their access to the community. This deactivate requirement applies to all communities, including communities with SSO that manage users in their IdP or AD.
Deactivating a user terminates access to both the member experience (web and mobile) and Studio. Any active member experience and Studio sessions with Firstup will be immediately terminated, and the user will not be allowed to sign back in (even if they are still active in your SSO IdP).
Option 1: Deprovision via Users Page
Individual users can be manually deactivated via the Users page in Studio, as outlined in the article Terminate Access to Studio and Experience. Both Email Registration and SSO communities can leverage this option to cut off access for a user immediately.
Option 2: Deprovision with File via SFTP
One or more users can be deprovisioned using File via SFTP. This option is easy to automate. One advantage of using File via SFTP is that you can also reprovision (re-activate) users. File via SFTP can be used by both Email Registration and SSO communities.
To set up deprovision with File via SFTP, please talk to your Customer Success Manager.
If your communities is using deprovision with file via SFTP now, you can contact Firstup Support to confirm your deprovisioning configuration and troubleshoot any issues.
Option 3: Deprovision Via API Call
Users can be deprovisioned using the Deprovisioning API Call. Only one call can be issued per user, but your IT may be able to configure the Deprovisioning API Call to occur automatically via a script. There is no Reprovision API Call. Users that are deprovisioned via API call can only be reprovisioned (re-activated) manually.
To set up Deprovisioning API Calls, please reach out to your Customer Success Manager.
If you are already sending Deprovisioning API Calls, then you can contact Firstup Support to troubleshoot any issues such as unfamiliar errors or unexpected behavior.
SSO Note
For communities configured to have users register and sign in via SSO, removing a user from your Identify Provider (IdP, sometimes referred to as AD) will NOT terminate access to your community. To terminate access to the experience and Studio, SSO users must be deprovisioned with Firstup.
The user must be deprovisioned with Firstup because Firstup only communicates with your IdP when the user signs into the platform. After successful authentication users can remain signed in for 30 days or more. Therefore, if access is only terminated within the IdP then users may continue to have access for 30 days or more.
Most SSO communities prefer to script Deprovisioning API calls, but can leverage any one of the 3 options outlined above.
Comments
0 comments
Please sign in to leave a comment.