User deactivation


if this is not the correct category for my question kindly excuse as this is my first post.
We’re in alpha state / testing the functionality of passbolt.
When an employer leaves the company what is the right method to deactivate the corresponding account?
Deleting a user also deletes password entries, is that correct?

Searching for this topic didn’t bring me the right results, so I want to give you, the experts, a chance to point me in the right direction. Thanks for your patience.


Hey @HappyMan4 welcome to the forum! I think it is safe to say or forum is missing a category for this sort of more general question about passbolt.

When you have to off board a user some secrets are deleted and some aren’t. This will depend on if the secret has been shared or not.

If a secret was created by the user and they didn’t share it with anyone it will be deleted.

If a secret was created by the user and they shared it with another user or group then that one won’t be deleted, the admin will be prompted to assign the secret a new owner(assuming it wasn’t shared as owner).

If the user has already left the organization you won’t be able to share the secrets since they are stored encrypted to the user’s key and the only way to share is to decrypt with that key and then encrypt with the key of the new user to share with.

Hi @clayton and thank you very much for clarifying.
I see that there is a logic behind the scenes.

Another chance of just deactivating a user is impossible?
Sometimes users come back or just take a longer timeout.
At that point I’d like to have the possibility to just deactivate a user and block future logins.
After returning and re-activating the user (the user naturally has to keep his private key and passphrase) can proceed working on the “old” database and secrets.

Wouldn’t this be a benefit for other passbolt admins (and users, of course) too?