How do I deactivate or delete a user?
Short answer
Section titled “Short answer”Notory has no hard “delete” for users. The standard action is deactivation
(the Active toggle switched off): the account is preserved but can no longer sign
in — and can be reactivated at any time. For the permanent removal of personal data,
there’s GDPR erasure (pseudonymization, Art. 17). The recycle bin is a
different thing: it applies to assets, not to user accounts.
Requirements
Section titled “Requirements”Three approaches at a glance
Section titled “Three approaches at a glance”| Action | What happens | Reversible? |
|---|---|---|
| Deactivate | Active is switched “off”; sign-in is blocked immediately, data is kept | Yes — reactivate the account |
| GDPR erasure (Art. 17) | Account is pseudonymized, sign-in data/2FA/tokens are removed | No — permanent |
| Recycle bin | Applies to assets (deleted objects, restoration), not users | — |
Instructions
Section titled “Instructions”-
Deactivate a user. Go to Administration → User Management → open a user. In the Account section, choose “Deactivate User”. The entry stays in the list but is marked inactive. To reactivate, switch Active back “on”.
Screenshot pendingadmin-benutzer-04User detail page, Account section, with the 'Deactivate User' actionDeactivating blocks sign-in without removing data — reversible at any time. -
GDPR erasure (only when necessary). If a data subject must actually be erased, use the privacy features Data export (Art. 15) or Delete / Pseudonymize (Art. 17). This action is permanent.
Deactivate (soft delete — sets is_active = false):
curl -X DELETE https://demo.notory.io/api/v1/users/018f9b2c-6a41-7e02-9d3b-2c1a4f7e0055 \ -H "Authorization: Bearer inv_dein_token"Reactivate via the update endpoint:
curl -X PUT https://demo.notory.io/api/v1/users/018f9b2c-6a41-7e02-9d3b-2c1a4f7e0055 \ -H "Authorization: Bearer inv_dein_token" \ -H "Content-Type: application/json" \ -d '{ "is_active": true }'GDPR data export (Art. 15) and GDPR erasure (Art. 17, pseudonymization):
curl -H "Authorization: Bearer inv_dein_token" \ https://demo.notory.io/api/v1/admin/privacy/users/018f9b2c-6a41-7e02-9d3b-2c1a4f7e0055/export \ --output data-export.jsoncurl -X POST https://demo.notory.io/api/v1/admin/privacy/users/018f9b2c-6a41-7e02-9d3b-2c1a4f7e0055/erase \ -H "Authorization: Bearer inv_dein_token"Possible errors: 400 (attempting to deactivate or erase your own account),
403 (not an administrator), 404 (user not in your own tenant).
What happens behind the scenes?
Section titled “What happens behind the scenes?”- Deactivation = soft delete. The account is simply set to
is_active = false. Every sign-in attempt afterwards fails with “Account is deactivated”; active sessions lose access on their next request. All associations (history, “created by” notes) stay intact — that’s why deactivation is the right choice for employees who have left. - No hard delete via user management. There’s deliberately no endpoint that irreversibly removes a user account along with its history — that would destroy audit trails and references.
- GDPR erasure pseudonymizes. The Art. 17 action removes sign-in data, 2FA devices, and API tokens, and anonymizes the personal-data fields. References (e.g. “who created this asset”) are kept as a pseudonymous reference, so data integrity and the tamper-evident audit log remain intact.
- The recycle bin is not for users. The recycle bin (restore / delete permanently, with a retention period) is a feature of asset management. It applies to deleted objects like assets — never to user accounts.
- Audit log. Deactivation and erasure are recorded in the audit log (erasure as
an
export/ privacy action), along with the triggering administrator.
Related topics
Section titled “Related topics”- Create a user
- Reset a password administratively
- Assets — recycle bin — restoring and permanently deleting objects