Access to resources can be revoked by either deselecting all resources a user is bound to, including User Groups, Devices, and Directories; or by deleting the user from the directory. Whether unbinding or deleting the user, the behavior on the resource will be as described below.
User Bindings
Warning: Use caution when unbinding users from devices. If the device has no user accounts on it, the device can become locked and will no longer be able to be accessed.
Behavior when removing a direct binding from a resource in a User's details tab:
- Devices: (The system endpoint must be active for the following to occur, otherwise the changes will be delayed until it becomes active.) The user is disabled/suspended within the OS. No user data is changed or removed from the filesystem. If the user is also a member of a group bound to the device, the relationship will persist until group membership is also removed.
- Mac: The account will be put in a suspended state and will no longer show the user in Users & Groups in System Settings. The user’s home directory is unaffected.
- Windows: In Local Users and Groups, the account will be marked disabled and group membership will be revoked. The user’s directory is unaffected.
- Linux: The password is locked by prepending a ! to the password in /etc/shadow, equivalent to passwd -l and any authorized keys are removed from the device.
- SSO Applications: The SSO application icon will be removed from the User Portal, and the user will not be able to authenticate with SAML workflows. Existing sessions may remain active until Service Provider logout or session timeout.
- SCIM Integrations: The user will be deactivated or deleted in all SCIM Identity Management applications. The behavior on deactivation is controlled by the Service Provider.
- RADIUS: Users will no longer be able to authenticate via RADIUS. Existing sessions may remain active until logout.
- Google Workspace*: The user will be suspended and placed in the Suspended Users group within the Google Administrator Console. Google typically expires existing sessions on all devices within a few minutes.
- Microsoft 365*: The user will be disabled within the Microsoft 365 Admin Portal. Microsoft typically expires existing sessions within a few minutes.
- JumpCloud LDAP*: The user will no longer be able to authenticate via LDAP, or exist in the LDAP instance. Existing session behavior will be subject to the functionality of the application being used.
* If you try to remove access for a user directly (not through a user group) and the user is also a member of a resource group that provides access, the user must also be removed from that group. You will be prompted to complete this action.
User Group Bindings
Warning: Use caution when unbinding users from devices. If the device has no user accounts on it, the device can become locked and will no longer be able to be accessed.
Behavior when removing a User Group binding from a resource:
- Devices, SSO Applications, and RADIUS: All users in the group will have access revoked in the manner explained for direct binding above.
- Google Workspace*, Microsoft 365*, JumpCloud LDAP*: All users in the group will have access revoked in the manner explained for direct binding above. Groups unbound from LDAP will no longer be presented in the LDAP instance.
*If the user was bound directly to the resource before also being bound via group membership, the direct binding will persist until it's also unbound in the User details.