Posted by JohnMoe
Henagon

Deleting users from TeamViewer

Hi all,

I'm trying to get some automated account creation happening, and in doing so, I'm try to create and delete a test user.  I've manage to create the account, but I can't find a DELETE function in the API.  I need to test that the create works with a number of different variations on our end, so I want to delete that test account so I can recreate it again.  I don't want to have to create a new user each time, and wind up with a bunch of testing users in my management console.  How can I achieve this?

I've found articles that tell me that an account can only be deleted by the account owner, but when I try to log in with that account so I can delete it through the web, I get told that I'm on an untrusted device and to check my e-mail.  That e-mail address doesn't exist, so I'm not going to get it.  I need another way to do this.

Cheers

5 Replies
Posted by p2k
Digon

Re: Deleting users from TeamViewer

Hi John,

I am on the same path currenlty and I didn't find any API possibility to remove a user.

Additionally it takes two steps to get rid of a user completly if the user belongs to a company. First I need to remove it from the company as a company-admin. Second step, the user needs to request the deletion of his account by himself.

@Teamviewer: As a company Admin I need to have the possibility to remove old accounts fully! Usually the user has no access to the email address anymore and therefore there should not be an account left behind!

Posted by DomLan
Heptagon

Re: Deleting users from TeamViewer

Hi @p2k,

I think it's a long story. As an administrator of a domain in TeamViewer, you can create users, that is, access credentials to the channels that you have subscribed to.
It is necessary to distinguish authentication from authorization, they are two separate steps that are often confused in a single entity.


I imagine that in your reality, the user (a resigned employee) was created by associating it with an email address of your domain and that when he left your structure, you have taken steps to eliminate it from your AD. Indirectly you have created a problem with the referential integrity of your AD: but the AD is yours and you can do with it what you want.


In TeamViewer the concepts of authentication and authorization are kept separate: if your goal is to prevent him from using your channels, just deleting the email from your AD prevents him from authorizing other devices. Via management console you can remove all the devices previously authorized by him. You can remove the permissions to act on certain groups and you can also release the license assigned to them. In short, you can do everything possible to deny him access to your channels (authorization). Deleting him, you will became the user who made previously connections made by him (referential integrity OK)


You can also directly act on authentication by changing the password, and not deleting the user.
But... the operator code (in TeamViewer is an email address) that you authorized to access your channels is unique and maybe connected to a domain to which you as an administrator do not have access (eg. you xxx@company.com and him **bleep**@gmail.com)

TeamViewer takes this possibility into account and guarantees it by delegating the effective renunciation of the account to the rightful owner who can still use it for free, for a fee or by joining another structure.

Just my opinion:

user code in your AD: remove all authorization via TVMC (device, groups, license). If you are interested in manteining connections story, change password, otherwise delete the user.

user code in other AD: remove all authorization via TVMC (device, groups, license). If you are interested in manteining connections story, change password, otherwise delete the user.

In both cases you have total control of the situation with respect to the account because If the account belongs to a TeamViewer company profile, it can not be canceled by the owner. In this case, he does not have permission to delete his account as he is a part of a company profile. He will need to contact the administrator of TeamViewer company profile (you) and ask them to remove his account for the company profile. 

Regards

Domenico Langone
MCSD: App Builder
Posted by p2k
Digon

Re: Deleting users from TeamViewer

Hi @DomLan,

I completly understand your goal. I just think that it might be better to also have the possibility to remove a user with an email address that does not exist anymore.

Why? In case this account gets hacked and the teamviewer account (without company permissions) does bad things, Teamviewer will contact the owner of the domain, but we can't do anything anymore about this, because we don't have any control anymore about these abandoned accounts.

I think that abandoned accounts are not a good thing to keep laying around...

Thanks
Philipp

Posted by DomLan
Heptagon

Re: Deleting users from TeamViewer

Hi @p2k,

thanks for understanding. However, perfect cancellation does not exist in authoritative contexts, or at least it should be so.

You can "completely" delete a Google account and retrieve it after a few days. Instead, after a certain amount of time that account will be no longer recoverable. But... if you tried to recreate it, you would receive a rejection: therefore that key is no longer reusable (it still exist but forbidden).  

This process is called anonymization (GDPR) and consists in deleting all the attributes covered by privacy from its database, keeping only the unique key to which it hierarchically referred.

Strangely, in AD you can recreate an object to assign a previously used email, but the entity's SID code will be different. So you can not say with certainty that the data no longer exists, forever (in your AD).

As I said, it's a long story. Your goal is shareable, but its implementation should take into account certain limits and certain rules.

Regards.

Domenico Langone
MCSD: App Builder
Highlighted
Posted by p2k
Digon

Re: Deleting users from TeamViewer

@DomLanthanks for your detailed explanation.