User deactivation


if this is not the correct category for my question kindly excuse as this is my first post.
We’re in alpha state / testing the functionality of passbolt.
When an employer leaves the company what is the right method to deactivate the corresponding account?
Deleting a user also deletes password entries, is that correct?

Searching for this topic didn’t bring me the right results, so I want to give you, the experts, a chance to point me in the right direction. Thanks for your patience.


Hey @HappyMan4 welcome to the forum! I think it is safe to say or forum is missing a category for this sort of more general question about passbolt.

When you have to off board a user some secrets are deleted and some aren’t. This will depend on if the secret has been shared or not.

If a secret was created by the user and they didn’t share it with anyone it will be deleted.

If a secret was created by the user and they shared it with another user or group then that one won’t be deleted, the admin will be prompted to assign the secret a new owner(assuming it wasn’t shared as owner).

If the user has already left the organization you won’t be able to share the secrets since they are stored encrypted to the user’s key and the only way to share is to decrypt with that key and then encrypt with the key of the new user to share with.

Hi @clayton and thank you very much for clarifying.
I see that there is a logic behind the scenes.

Another chance of just deactivating a user is impossible?
Sometimes users come back or just take a longer timeout.
At that point I’d like to have the possibility to just deactivate a user and block future logins.
After returning and re-activating the user (the user naturally has to keep his private key and passphrase) can proceed working on the “old” database and secrets.

Wouldn’t this be a benefit for other passbolt admins (and users, of course) too?


No one any thoughts on this?


Let’s consider the worst-case scenario combined with your request.

  • the user does not share any passwords, and leaves
  • you delete the user and they can no longer access passbolt
  • they return, and they know their own passwords but don’t want to re-enter them
  • SOLUTION: before they leave, have them export their own passwords

On the other hand, let’s consider they have all passwords shared - with others or by others.

  • others have the passwords still, and the passwords are in the system
  • when the user returns those same passwords are desired to be shared
  • SOLUTION: before they leave, create a group that has all of their passwords. When they return, add them to the group so they have them again.

The difference in approach might be in making passwords and groups the focus, rather than the user. But, I guess it depends on your use case.

Yes, okay, I’ll have to deal with that. Let’s see if that works for us. Thank you for replying. :white_check_mark:

1 Like

Related feature request: As an administrator I can disable users - #2 by remy

1 Like