A user has left your organization. You need to ensure they can no longer access any Aritma resources.
Approach: Find all their policies and delete them. If they are in any groups, remove them.
- An access token with IAM admin permissions
- The subject ID of the user whose access you want to revoke
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/policies
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/policies
curl -i -X GET \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/policies?pageSize=100&cursor=eyJhbGciOiJub25lIn0&includeDerived=false&includeInherited=false&subject=user-00000000-0000-0000-0000-000000000000&scope=https%3A%2F%2Fapi.aritma.com%2Ftenants%2Fmy-tenant&action=iam.policy.read' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'Filter by subject using the user's subject ID. Repeat with pagination if the response includes a cursor.
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/policies
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/policies
curl -i -X DELETE \
https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/policies \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"subject": "user-00000000-0000-0000-0000-000000000000",
"scope": "/subscriptions/123",
"action": "iam.policy.read"
}'Repeat for each policy returned in step 1.
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/{subject}/memberships
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/subjects/{subject}/memberships
curl -i -X GET \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/{subject}/memberships?page=1&pageSize=100' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>'This returns all groups the user currently belongs to. Group membership may grant additional permissions through group-level policies.
- Mock serverhttps://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/groups/{groupSubjectId}/members
- IAM APIhttps://api.dev.aritma.io/core/iam/v1/subjects/groups/{groupSubjectId}/members
curl -i -X DELETE \
'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/groups/{groupSubjectId}/members' \
-H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
-H 'Content-Type: application/json' \
-d '{
"subjectIds": [
"string"
]
}'Repeat for each group returned in step 3.
Access is revoked immediately — there is no delay or cache TTL to wait for.
- To delete the user subject entirely, see User Management
- To manage groups and their members, see Groups
- To review remaining policies across your tenant, see Policies