Internal users - conduct a user audit
Keeping on top of who has access to your site and revoking access when it’s no longer needed is the best action to take from an information security perspective as well as ensuring admin numbers aren’t unnecessarily high.
As a former Citizen Space site admin myself, I know how quickly the number of internal users can increase — which is great as it means more people are using the system and engaging with people’s views and feedback, but this also means that user management is necessary in order to make sure that only the people who need access to the data have it and to ensure that staff who are no longer with your organisation can't access the internal site.
In this article we'll be touching on the following topics:
- Export your sites’s users
- Perform the audit
- Edit permissions and suspended users
- Communicate and stay informed
Export your site’s list of users
You can do a simple audit of who has access, what their permission level is, when they last logged in, and when they last reset their password by downloading the ‘Users’ export from your site.
If you are a Site Admin, Department Admin or Individual Admin you can export a list of users. Site Admins can export a list of all of your site's users whereas Department and Individual Admin can only download a list of users within their own department.
To export a user list, select the 'Site' dropdown from the admin navigation bar across the top of the page and then select 'Settings'.
This will take you to the Site settings section, where you'll see that the page for managing users is the first page you come to.
In the top right-hand corner of the Users page, select 'Download This List of Users' and the file will automatically be downloaded.
The export is in an .xlsx format that includes:
- Full name
- Contact phone number
- Email address
- Department
- Position (this is the user's permission level within Citizen Space)
- Date of last login
- Status (whether the user is active or suspended)
- Date of last password change
- Account type (New, Local or External)
- Two-Factor Auth Status (this column is only visible if 2FA is enabled for your site - it says whether a user has 2FA enabled on their account or not)
Perform the audit
The Position, Last Login, Status and Last Password Change columns are the ones that give you the best information for performing the audit. You can check permission levels, identify individuals who have never logged in or users who haven’t logged information for 1+ years, and when their last password change may have been (this information is particularly informative for site admin who follow our recommended guidance on setting passwords). We also have a support article on user types and what they can do to help you review the different permissions these users have.
Okay, you've done the audit now and you’ve got the list of users identified as no longer needing access — what next?
Edit permissions and suspend users
You can then promote or demote users to change their permission levels, or revoke access to accounts entirely.
To completely revoke an internal user’s access to Citizen Space, you can either suspend or delete their account. By suspending users — meaning they will no longer be able to log into Citizen Space — you can quickly disable their account, preventing access without affecting their activity ownership or needing to make changes across individual activities.
However, there may be cases when you have to delete a user. If you need to delete a user from Citizen Space, you will first need to re-assign their activities to another user within the same department.
You can learn more about how to change permission levels and suspend accounts in our other support article how to add and manage users.
Communicate and stay informed
And don’t forget — communication is important!
Let departments or teams know that you will be conducting an audit, you can even get them involved by encouraging them to review their own exported user list. Encourage them to also keep site admin up-to-date when staff leave or move to other departments/teams. You should also alert the users themselves by sending them an email letting them know that you will be suspending their account and that to reactivate it they can contact you or other site admin.