Block, deauthorize, and deactivate

Updated

Overview

Incydr administrators can use block, deauthorize, and deactivate actions to control access to data and manage accounts. This article explains the impact each of these actions have on organizations, users, and devices in your environment.

Considerations

  • You must have administrative role permissions to perform block, deauthorize, and deactivate actions from the Incydr console.
  • You should understand the basic information hierarchy of your Incydr environment, including the definitions below:
    • Agent: An installed instance of Incydr software. A single device may have a combination of the insider risk and backup agents installed.
    • Device: The physical endpoint upon which an agent is installed.
    • Organization: The hierarchical level in the Incydr environment for users and agents. Each user can belong to only one organization. You can define many settings at the organization level; different organizations can have different settings. An organization can contain child organizations, and an organization can exist without containing any users.
    • User: A single account in your Incydr environment. A user always belongs to one (and only one) organization. A user licensed for backup has a single set of sign-in credentials (username and password) and a single encryption key unique to their backups.

Blocking, deauthorizing, and deactivating at a glance

  • Blocking is a non-destructive action that prevents user access to your Incydr environment. Blocking only applies to the backup add-on.
  • Deauthorizing signs a user out of the backup agent. The user can sign in again at any time. Deauthorizing only applies to the backup add-on.
  • Deactivating is a destructive action that stops all activity for an agent, user, or organization.

The following table provides additional details about each action:

  Incydr monitoring Backup activity1 Possible Backup Data Loss1 Applies to agents Applies to users Applies to organizations
Block1 n/a Continues No Yes Yes Yes
Deauthorize1 n/a Stops No Yes No No
Deactivate Stops Stops Yes Yes Yes Yes

1 Backup agent only

Block

Backup agent only

Blocking prevents user access to the Incydr environment but is not destructive to existing data. Backups continue without interruption. Specific implications for agents, users, and organizations are detailed below.

Agent

When you block an agent:

  • Users are signed out of the backup agent on the device and cannot sign in again on that device.
  • Users cannot access the backup agent on the device to restore data or change settings.
  • Users can continue to use other devices.
  • Existing backups are not affected.
  • The backup agent service continues backing up new data on the device without interruption.
User

When you block a user:

  • Users cannot sign in to any part of your Incydr environment:
    • Users cannot sign in to the backup agent on any device.
    • Users cannot sign in to the web-based Incydr console.
    • Users cannot register or sign in from a new device.
  • Users cannot restore data or change settings.
  • Existing backups are not affected.
  • The backup agent service continues backing up new data on the device without interruption.
  • The insider risk agent for the user is not affected. Incydr monitoring continues without interruption.
Organization

When you block an organization, all users in the organization are blocked, as well as all users in child organizations.

Blocks and licenses

Blocked agents still use a license.

Use case examples

  • Theft or loss: you may want backups to continue while searching for the device, but want to prevent unauthorized access to backup archives.
  • Licensing: if you are managing backups for a third party, you may need to block a user for billing purposes.
  • Legal: in legal proceedings, you may need to restrict access to data due to a legal hold. Users on legal hold cannot be deactivated, but they can be blocked. 

Unblock

When you unblock an agent, user, or organization, normal access is restored.

Deauthorize

Backup agent only

Deauthorization only applies to agents. Users and organizations cannot be deauthorized. 

When you deauthorize an agent:

  • The current user is signed out of the backup agent. Users can sign in again at any time.
  • No data is deleted. However, backup activity stops until the user signs in again.
  • Users cannot access the backup agent to restore data or change settings without signing in again.
  • The insider risk agent for the user is not affected. Incydr monitoring continues on the device without interruption.

Deauthorizations and licenses

Deauthorized devices still use a license.

Use case examples

  • Troubleshooting: deauthorization is sometimes requested by our Technical Support Engineers.
  • Testing: deauthorizing a device can be used to test a user's credentials or other behavior.
  • Theft or loss: the device will be unable to back up or restore files until the user has signed back in to the device.

Deactivate 

Deactivation is a destructive action that prevents access to the Incydr environment and removes user data from devices. Specific implications for agents, users, and organizations are detailed below.

Insider risk agent

Deactivation

For deactivation instructions, see Deactivate and reactivate users and agents.

Agent

When you deactivate an agent, Incydr monitoring stops for that agent.

User

When you deactivate a user:

  • Incydr monitoring stops for the user and all of their agents.
  • User file event data is still retained for the duration of your Event data retention period.
  • Audit Log activity is retained for the duration of your Event data retention period. To maintain Audit Log output for longer than this period, export the results to your own systems for storage.
  • Alerts triggered by the user remain available in Alerts for the duration of your Event data retention period. To maintain alerts for longer than this period, export alert notification details via the Incydr API to an external file or to your security information and event management (SIEM) tool. See the Developer Portal for more information.
  • The license for the user is removed.
Organization

When you deactivate an organization, all users in the organization are deactivated, as well as all users in child organizations.

Use case examples

  • Offboarding: Deactivate a user account when an employee leaves the company.
  • Device recycling: Deactivate a device when permanently removing it from service.

Reactivation

Reactivation resumes Incydr monitoring for affected users and agents. For step-by-step instructions on reactivating a deactivated user or agent, see Deactivate and reactivate users and agents.

Agent

When you reactivate an agent, Incydr monitoring resumes within 24 hours. 

Agents can only be re-activated within 30 days of deactivation. After 30 days, you must uninstall and redeploy the insider risk agent to resume Incydr monitoring.

User
  • When you reactivate a user, Incydr monitoring resumes.
  • Insider risk agents that were deactivated as a result of the user deactivation are also automatically reactivated. (Agents deactivated before January 6, 2026 must be reactivated manually.)
Organization

When you reactivate an organization, users in the organization remain deactivated. To reactivate users, see Deactivate and reactivate users and agents.

Backup agent

Permanent Data Loss Warning
Deactivation can destroy data, unlike blocking or deauthorizing. Deactivated archives on a cloud destination are placed into cold storage for the configured cold storage period. Once the cold storage period has passed, the archive is permanently deleted. Archives backed up to a local folder are immediately deleted upon deactivation. Cold storage is only available for cloud destinations.

Deactivation

For deactivation instructions, see Deactivate and reactivate users and agents.

Agent

When you deactivate an agent:

  • Backups stop.
  • The user is signed out of the backup agent on that device.
  • The user can sign in again at any time, but backup archives previously associated with the agent will no longer be present.
  • Restores are not available for files backed up from that device.
  • Backup archives are removed from all backup destinations and sent to cold storage. Archives in cold storage do not continue to back up and do not undergo regular archive maintenance. By default, archives are permanently deleted from cold storage after 14 days. To change the default, update the Move deactivated archives to cold storage for quota value.
  • In environments that use customized agent installers configured to auto-register users, block the agent before deactivating. Without first blocking the agent, it may reactivate automatically.
User

When you deactivate a user:

  • Backups stop for the user.
  • Users are signed out of all backup agents and online sessions and cannot sign in to any part of your environment:
    • Users cannot sign in to the backup agent on any device.
    • Users cannot sign in to the web-based Incydr console.
    • Users cannot sign in until being reactivated.
  • Backup archives are removed from all backup destinations. All of the user's backup archives are sent to cold storage. Archives in cold storage do not continue to back up and do not undergo regular archive maintenance. By default, archives are permanently deleted from cold storage after 14 days. To change the default, update the Move deactivated archives to cold storage for quota value.
  • Audit Log activity is retained for the duration of your Event data retention period. To maintain Audit Log output for longer than this period, export the results to your own systems for storage.

Users on legal hold cannot be deactivated
Backup agent only
If users who are custodians under a legal hold are subsequently selected for deactivation (for example, from the Incydr console, a provisioning provider, or API), they are not deactivated immediately because their data must be retained for legal hold purposes. Instead, they are blocked. Once these blocked users are released from legal hold, they are deactivated automatically. 

Organization

When you deactivate an organization, all users in the organization are deactivated, as well as all users in child organizations.

Deactivation and licenses

A deactivated user still uses a license as long as the user's archive exists in cold storage. Once the archive is purged from cold storage, the user no longer consumes a license.

Use case examples

  • Reclaiming licenses: deactivation is the only action that can free licenses that are being used.
  • Offboarding: deactivate a user account when an employee leaves the company.
  • Device recycling: deactivate a device when permanently removing it from service.

Reactivation

Reactivation restores access to the Incydr environment, and makes deactivated backup archives available for use once again by affected users, agents, and the Incydr cloud. For step-by-step instructions on reactivating a deactivated user or agent, see Deactivate and reactivate users and agents.

Limited time to recover deactivated archives
Archives must be reactivated before the end of the cold storage period.

Agent

When you reactivate an agent:

  • Backups resume.
  • The deactivated backup archives are made available for use once again by the agent if the agent is reactivated before the end of the cold storage period.
User

When you reactivate a user:

  • Backups resume.
  • The deactivated user's backup archives are made available for use once again by each agent associated with the user, and all agents associated with this user account are reactivated immediately if the user is reactivated before the end of the cold storage period.
Organization

When you reactivate an organization, users in the organization remain deactivated. To reactivate users, see Deactivate and reactivate users and agents

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.