Appendix E: 1Password Deprovisioning #
This appendix covers the procedure for deprovisioning a departed employee’s 1Password account and ensuring that no shared credentials are orphaned.
E.1 Pre-Deprovisioning Review #
Before removing the employee’s 1Password account, IT must review vault assignments and shared items to ensure business continuity.
- Review the employee’s 1Password vault assignments. Identify any shared vaults where the employee is the sole member or owner.
- Transfer ownership of any shared vaults to the appropriate successor.
- Review any items the employee created in shared vaults. Confirm they remain needed and accessible to other team members.
- Identify any credentials in the employee’s private vault that may be needed for business continuity (e.g., service accounts created by the employee). Coordinate with the manager to recreate or rotate these credentials.
E.2 Account Deprovisioning #
- Deprovision the employee’s 1Password account from the admin console. This immediately revokes access to all vaults.
- Confirm the user no longer appears in the active user list.
E.3 Post-Deprovisioning Credential Rotation #
After deprovisioning, rotate any shared credentials the employee had access to.
| Credential Type | Rotation Timeline |
|---|---|
| Infrastructure credentials (DNS, hosting, Cloudflare, Rackspace) | Immediate — rotate on last day |
| Service account passwords and API keys | Within 24 hours |
| Shared application credentials (WordPress admin, Jira, etc.) | Within 72 hours |
| Low-risk shared credentials (internal tools, non-privileged accounts) | Within 1 week |
**Important:** All shared credentials the departed employee had access to should be rotated within 72 hours of departure at the latest. Critical credentials (infrastructure, DNS, hosting) should be rotated immediately on the last day.