IBM Cloud Docs
Removing users from an account

Removing users from an account

When you remove a user from an account, the user can no longer log in to the console, switch to your account, or access account resources. Removing a user from an account doesn't delete the IBMid for the user.

Only account owners and users with the correct access can remove others. If you use a service ID to authenticate, you can't remove users from the account. The following access is required for removing users from an account:

  • An Identity and access management (IAM) policy for the User management account management service with the Administrator role assigned.
  • If you have classic infrastructure in your account, a user must have an IAM policy for the User management account management service with the Administrator role assigned and be an ancestor of the user in the classic infrastructure user hierarchy with the Manage user classic infrastructure permission assigned.

As an alternative to removing a user from your account, you can assign them an access policy with a temporary time-based condition. This way, the user can log in to the console and view the account in their account list, but can't access resources in the account before the policy begins or after the policy expires. For more information, see Creating a temporary time-based condition.

Removing a user from an account in the console

To remove a user from an account, complete the following steps:

  1. In the IBM Cloud® console, click Manage > Access (IAM), and select Users.
  2. From the row of the user that you want to remove, click the Actions icon Actions icon > Remove user.

Any resources that are created by the user remain in the account, but any IBM Cloud API keys that the user created are removed. The user no longer has access to work with the resources they created. The account owner or an administrator for the service or service instance can assign other users to work with the resources, or delete them from the account.

If you get an error message that states a classic infrastructure user can't be removed, make sure that any descendants in the user hierarchy for that user are assigned a new parent, disabled in the account, or deleted. Then, you can try again.

Removing a user from an account by using the CLI

To remove a user from an account, run the following command:

ibmcloud account user-remove USER_ID [-c ACCOUNT_ID] [-f, --force]

For command options, see Managing accounts and users CLI commands.

Removing a user from an account by using the API

To remove a user from an account, call the User Management API as shown in the following sample request. Replace variables with the user's IAM ID. You must use a user token for authorization. Service IDs can't remove users from an account.

curl -X DELETE https://user-management.cloud.ibm.com/v2/accounts/987d4cfd77b04e9b9e1a6asdcc861234/users/IBMid-1000000000 -H 'Authorization: Bearer <IAM_TOKEN>' -H 'Content-Type: application/json'

RemoveUserOptions removeUserOptions = new RemoveUserOptions.Builder()
  .accountId(accountId)
  .iamId(deleteUserId)
  .build();

service.removeUser(removeUserOptions).execute();

const params = {
  accountId: accountId,
  iamId: deleteUserId,
};

userManagementAdminService.removeUser(params)
  .then(res => {
    console.log(JSON.stringify(res.result, null, 2));
  })
  .catch(err => {
    console.warn(err)
  });

response = user_management_admin_service.remove_user(
  account_id=account_id,
  iam_id=delete_user_id,
).get_result()

print(json.dumps(response, indent=2))

removeUserOptions := userManagementService.NewRemoveUserOptions(
  accountID,
  deleteUserID,
)

response, err := userManagementAdminService.RemoveUser(removeUserOptions)
if err != nil {
  panic(err)
}