# Revoke Access for a Departed User

A user has left your organization. You need to ensure they can no longer access any Aritma resources.

**Approach:** Find all their policies and delete them. If they are in any groups, remove them.

## Prerequisites

- An access token with IAM admin permissions
- The subject ID of the user whose access you want to revoke


## Step 1: Find all policies for the user

Filter by `subject` using the user's subject ID. Repeat with pagination if the response includes a `cursor`.

## Step 2: Delete each policy

Repeat for each policy returned in step 1.

## Step 3: Check group memberships

This returns all groups the user currently belongs to. Group membership may grant additional permissions through group-level policies.

## Step 4: Remove from each group

Repeat for each group returned in step 3.

Access is revoked immediately — there is no delay or cache TTL to wait for.

## Next steps

- To delete the user subject entirely, see [User Management](/apis/platform/iam/guides/user-management#delete-a-user)
- To manage groups and their members, see [Groups](/apis/platform/iam/guides/groups)
- To review remaining policies across your tenant, see [Policies](/apis/platform/iam/guides/policies)