Access lists drift up over time. Everyone new gets invited, but not everyone who leaves is remembered. A disciplined 15-minute monthly review clears this silent accumulation.
Security is not an event but a habit. Fifteen minutes each month prevents major incidents over years.
Checkpoints
- Users without a login in the last 30 days.
- Users whose role changed in the owner panel.
- Inactive invite links.
- Lingering access after a branch closure.
- Users tied to outdated phone numbers.
Decision matrix
No login for 30 days but the role is still needed: check in. No login for 90 days: tighten or remove. Departed staff: revoke immediately. This simple rule is enough security for most small teams.
Documentation
Logging the result of the monthly review in a short Notion doc gives compliance a paper trail and gives next month a starting point.
Kontrol listesi / Checklist
- Last login dates were checked.
- Inactive users were revoked.
- A list of departed staff was matched.
- Pending invites were cleaned up.
- Audit notes were filed.
SSS / FAQ
Can I disable instead of delete?
Yes. If departure is uncertain or rejoining is likely, scoping down the role and disabling is a reasonable middle ground.
Where do audit logs live?
Critical access changes are written to the system audit log and can be shared during a compliance review.