We recently had a trusted and long-term member of our organization spontaneously become untrustworthy, and this forced us to immediately take action to remove their access to accounts from our organization to prevent potential malicious activity. However, we experienced some issues with this. Due to this person's position in the organization until this point, they had access to a lot of password entries, and we needed to unshare all of the organization's "Enterprise" entries as quickly as possible. At the same time, we needed this person to continue to have access to their "Personal" password entries as they were also going to be traveling internationally the next day and would definitely need access to their own accounts and secure notes for all of this. In this process, we discovered that there was no way to effectively handle this situation. What we tried was to temporarily revoke their access to all of Zoho Vault and then manually unshare most of the organization's password entries individually with them as fast as we could. This was done to hopefully protect our accounts while not interfering with their access to their personal accounts more than was needed and not further agitate them. In these situations, we don’t want someone’s access to their personal entries to be blocked or removed unless absolutely necessary as it can just add "fuel to the fire" as you can imagine.
From our experience, we recognize a "gap" in what Zoho Vault can currently do to handle these situations and we feel that it needs to be addressed. We need the ability to unshare multiple selected password entries at a time with a user rather than only being able to unshare one entry at a time. Along with that, we need the option to revoke access to only all of the entries that are shared with a user rather than only being able to block their entire access to Zoho Vault (i.e., blocking access to all of their Personal and shared entries). Also, for security reasons, it would be helpful to have an option in "Fine-Grained Controls" to disable users from being able to duplicate password entries. Without that, it is currently very easy for users to copy and obtain "ownership" of an organization's entries with practically a single click, and no one would notice this unless they have time to closely monitor the audit logs at all times.
Thank you!