When a person with access to your site(s) on the platform leaves the company or project, it is important to immediately remove them from the team so that they no longer have access to make changes to your site.
After a user leaves, we recommend you:
- Delete or block the user's account in Drupal or WordPress.
- Remove the user from the team and/or organization in the Pantheon Dashboard.
- Change any shared account passwords the user may have had access to.
- Review the Git history in the commit log to see if the site team member made code changes after leaving. See recommendations from Drupal and WordPress.
When you delete a user from a site, they lose the ability to perform any site operations via the Dashboard or Terminus.
To remove a team member from a site, follow these steps.
When you delete a user from an organization, they lose the ability to perform any operations on the sites within the organization. Only admin roles can remove people from organizations.
- From the Organization Dashboard, click the People tab.
- Select the box next to the user, and click Operations.
- Select Remove User.
- In the confirmation pop-up, type remove and click the I understand the consequences, remove this user button.
When a developer creates a site in a partner organization, they automatically become the "Site Owner/User in Charge" until the business owner starts paying for the site and becomes the owner. Organization admins cannot delete users from an organization until the listed owner no longer owns any sites in the organization.
The user account in question must transfer ownership to another person in the organization. Partner organization admins cannot change ownership of sites. If the organization is using SAML for single-sign on, you should be able to log-in as the user and make the necessary changes. Partners without SAML will need to contact support to request ownership change, which may take 24-48 hours. As a workaround, admins can download a backup of the site, import it as a new site, move the domain name from the original site to the imported site, and delete the original site(s).
For all sites, we recommend instructing users to change their passwords regularly, using two-factor authentication, restricting access with Change Management, and carefully planning who will create client sites in the organization.