OptservOptserv
Resources

Sharing & Offboarding

How to share credentials with teammates in Optserv Account Sharing, and how offboarding automatically handles access revocation.

This page covers the day-to-day workflow for sharing credentials with your team and the offboarding process that ensures departing employees lose access cleanly.

Sharing a credential

When you add a credential to Account Sharing, it's private by default — only you (the owner) can see it.

To share it with teammates:

  1. Open the item
  2. Go to Access (or Share)
  3. Search for the teammate by name or email
  4. Confirm — they now have access

The sharing process uses RSA-OAEP to encrypt the item's key for the new recipient. The item content is never transmitted in plaintext. See Security Model for the cryptographic details.

Access levels

Each shared item has an owner. The owner can:

  • View and use the credential
  • Add or remove other users from the access list
  • Edit or delete the item

Non-owners with access can:

  • View and use the credential
  • Cannot modify the access list

Admins can see all company items regardless of whether they're in the access list.

Revoking access

To remove someone from an item:

  1. Open the item → Access
  2. Find the person and remove them

Removal is cryptographic — their copy of the decryption key is deleted. They cannot access the item after removal, even from cached state.

Offboarding and Account Sharing

When you offboard an employee in Optserv's HR workspace:

  1. Their HR access is removed
  2. Their access to all Account Sharing items is revoked automatically
  3. Items they owned are flagged for review — an Admin should reassign ownership and optionally rotate the credential

Step 3 is intentional: if an employee owned a credential (e.g., the company Instagram password), simply removing their access doesn't mean the credential is still safe. The underlying password should be rotated.

Credential rotation on offboarding

After offboarding someone who had access to shared credentials, Optserv surfaces a list of items they had access to. For each item, you should decide:

  • Keep as-is — if the credential is low-risk or has other controls
  • Rotate the credential — generate a new password, update the item in Account Sharing, and remove the old one

Example: Jake leaves the company. He had access to the company Instagram account, the analytics platform, and a vendor dashboard.

  • Instagram → rotate the password (social accounts are high-risk if a disgruntled ex-employee retains access)
  • Analytics platform → rotate if Jake was an admin there; keep if he was read-only
  • Vendor dashboard → depends on whether the vendor supports SSO — if not, rotate

Operational best practices

  • Keep access lists minimal — share credentials only with people who actively need them. Review access lists quarterly.
  • Use unique credentials where possible — for services that support per-user logins, create individual accounts instead of sharing one. Account Sharing should be a last resort, not the default.
  • Rotate on departure — don't assume that revoking Optserv access is enough. Rotate the underlying credentials for high-sensitivity accounts.
  • Assign owners thoughtfully — item owners are responsible for their access lists. Make sure the owner is someone who will maintain it.
← PreviousSecurity Model