This article explains Organization Account Lifecycle Management with respect to License Seats.
Organization Account Licensing
When you create an Organization, it is appropriated a certain number of License Seats you can use to deploy Accounts (Users). Licensing Terms vary, but in general you can utilize Seats in very flexible ways.
For example, if you have part-time or limited-duration consultants working with your team, you can deploy Accounts for their use then re-use the Seat after their time on the job completes - without the need for purchasing additional License Seats.
You can, in fact, re-enable the same Account for continued use at a later time, retaining access to all prior managed content. This requires that you have a Seat available to re-associate with the Account.
This article explains Account removal and License Seat re-use, and the impact it has on event reporting history and shared data.
Managing Accounts and Features
Manage Accounts from within the Administer Users interface, available only to Privileged Organization Users - the single Organization Administrator and assigned Delegates. You can promote/ demote any Account to/ from Delegate status from this interface, and also manage most all other Account features. Refer to the article, Managing Organization Users, for an introduction. Refer to the article, Adding Features/ Components, for more information on adding/ removing features to/ from your Organization as a whole.
Deleting an Account
From the Administer Users interface, choose the appropriate Account then click Delete. You will be prompted with information clarifying that the operation is permanent, and cannot be reversed. Confirm that you wish to proceed, or decline if you are unsure.
NOTE: You will most often want to Disable an Account rather than Delete it, since Delete is not reversible and Disable releases the License Seat for re-use.
When you Delete an Account, as a convenience, the software checks for a matching local Profile and, if found, prompts you for removal. If you proceed, the Profile is removed, though all other resources remain - including the Default Folder and any files managed by the Deleted Account. These resources must be manually removed from host computers, if/ when desired.
Deleted Account Data Availability
If your Organization uses (or used) :Recover, and at any time the Deleted Account utilized its' operation, you can use :xRecovery to acquire related content. This is useful if the associated User is uncooperative, unavailable, or chose to delete host-local data before or upon departure: :Recover content cannot be deleted by end-users, and can only be removed after several steps by Privileged Organization Users, as noted in this article.
Note that, if your Organization is not configured to use :xRecovery, you can add it then apply it to retroactively access :Recover data. Refer to the article, SSProtect Licensing, for more information.
Accessing Data for Deleted Accounts
There are a few ways to access data created and managed by a Deleted Account - you can acquire the files directly, or if they are unavailable, you can use :xRecovery to request an offline Archive.
When gathering files manually, cross-reference scope by generating an :Assess File Report and filtering for the associated Account Username. All Account content remains accessible by all authorized to view it - both Organization Peers and Third Party Trusts - since keys are not removed when an Account is Deleted.
If managed data isn't available, from the Administer Users display, choose the Deleted Account then click Archive. If :xRecovery isn't configured, you will receive an error. Otherwise, you will be redirected to the :xRecovery Panel where the Username will be present. Choose whether or not you want all Versions of managed content (or only the latest), then click Request to proceed. For more detail, refer to the article, Abbreviated Procedures for :xRecovery.
Recovering an Account Seat
Once you are confident you have all data managed by the removed User, in the Administer Users display, choose the associated Account then click Recover Seat. This will remove the Account from your Userlist and make the License Seat available to the Organization for re-use (re-assignment).
Note that this makes the associated :Recover Archive available for MSP removal at any time.* Be sure you have access to all Account data before recovering the associated Seat, else you will have to request a fairly difficult Recovery procedure that is costly, time-consuming, and may not provide the latest content.
* Note that a User's Archive is NOT made available for removal if his/ her Account is Disabled, a temporary operation more fully described in related User Management documentation.
Impact of Deleting an Organization Account
When you Delete an Organization Account, sharing keys/ event information is not removed. This preserves ongoing use of managed content despite the User being removed. This also retains critical historical event access data required for accurate/ Objective Disclosure Risk Analysis, reflected in the continued accuracy and precision of all related :Assess reports and :Respond proceedings. Refer to the article, Using :Respond, for details.
Support can Purge an Account anytime after you perform the Recover Seat operation. Purging removes all resources associated with an Account except sharing keys, event history data, and supporting resources that tie information to your Organization. This operation returns Quota back to your Organization for re-appropriation, and marks :Recover Archive content removable (though it is often not removed until much later - but it's important to assume the data is removed immediately so as not to rely on the time-consuming and expensive recovery procedures required to reclaim this type of content).
Cannot Re-Use Deleted Account Usernames
You cannot re-use an SSProtect Account Username. If re-engaging a removed User, use a different email account. This may be modified in the future, though at the present does not permit re-use of any existing or previous Account Username.
There is one way to permanently remove data from your Organization - work with Support to first Delete all Accounts (except the one Administrator, which cannot be Deleted) and execute Recover Seat operations for each before coordinating Organization Removal. This is a one-time, irreversible process that removes all information associated with your Organization.
NOTE: This does NOT remove data from ongoing internal MSP backups, and though managed content is never available to the MSP, we can make arrangements to handle MSP Backup operations that preclude or isolate your Organization's content. Contact Support for details.
SSProtect retains data and event history information for Organization Accounts even after they are Deleted. Purge operations mark :Recover Archive data for removal, but may retain it for an undefined period of time (unless you have executed special provisions for you Organization).
Remember that the KODiAC Cloud Services operator never has access to the materials required to recover plaintext content when you use Hybrid and/ or Optimized Offloading conversion modes. The same remains true for Double Conversion only when you do not make your MSP a Third Party Trust. See Operating Modes for details.
More importantly, if a malicious Organization User attempts to delete managed content, he/ she cannot affect content managed by :Recover and subsequently (retroactively) available to :xRecovery operations.
Finally, it's worth noting that malicious intrusion of the cloud service layer is insufficient to acquire plaintext access to your content - the keys managed on your host computers, specific to your User's Profiles, remain isolated over time.
You can search this site for more information on various topics, or use this link to submit a specific request. You can also send email directly to firstname.lastname@example.org, and our staff will respond to your needs as soon as possible.
This article was updated w/ v10.0.4 of the :Foundation Client