When a user should no longer have access to your program (such as separated employees), the user must be blocked and demoted in the SocialChorus platform in order to terminate their access to the program. This block and demotion requirement applies to all programs, including programs with SSO that manage users in their IdP or AD.
- Blocking a user terminates any active experience sessions with SocialChorus, and will not allow the user to sign back in (even if they are still active in your SSO IdP).
- Demoting a user refers to changing the role of a studio user from studio-level to member. The demotion will terminate their access to Program Studio.
"Deprovision" means "block AND demote" in this article. Block and demote will terminate access for all users to both the experience and Program Studio except Administrators.
Administrators must be manually demoted - none of the following deprovisioning options will demote an Administrator.
Option 1: Deprovision via Users Page
Individual users can be blocked and demoted, as outlined in the article Manage Studio and Experience Access. Both Email Registration and SSO programs can leverage this option to cut off access for a user immediately.
Option 2: Deprovision Via File Upload
One or more users can be deprovisioned by uploading a user data via SFTP. One advantage of the user data file is that you can also reprovision (unblock) users via the file upload.
The file upload option is most common for programs with Email Registration combined with User Verification, but can be leveraged by any program including SSO. To discuss setting up this deprovision via file upload configuration, please talk to your Engagement Manager.
If you are currently leveraging user verification or otherwise have reason to believe that your program is leveraging the deprovision via file upload option, you can contact firstname.lastname@example.org to confirm your deprovisioning configuration and troubleshoot any issues.
Option 3: Deprovision Via API Call
Users can be deprovisioned using the Deprovisioning API Call. Only one call can be issued per user, but your IT may be able to configure the Deprovisioning API Call to occur automatically via a script. There is no Reprovision API Call. Users that are deprovisioned via API call can only be reprovisioned (unblocked) manually.
To review how to setup Deprovisioning API Calls, please reach out to your Engagement Manager.
If you already have the Deprovisioning API Calls setup and being sent to SocialChorus, then you can contact email@example.com to troubleshoot any issues such as unfamiliar errors or unexpected behavior.
For programs configured to have users register and sign in via SSO, removing a user from your Identify Provider (IdP, sometimes referred to as AD) will NOT terminate access to your program. To terminate access to the experience and Program Studio, SSO users must be deprovisioned with SocialChorus.
The user must be deprovisioned with SocialChorus because SocialChrous only communicates with your IdP when the user signs into the platform. After successful authentication users can remain signed in for 30 days or more. Therefore, if access is only terminated within the IdP then users may continue to have access for 30 days or more.
Most SSO programs prefer to script Deprovisioning API calls, but can leverage any one of the 3 options outlined above.