(1) There is a strong preference for shared credentials at the LIR account level, independent of individual users. If a user leaves the company, the shared credential should not automatically expire. The organisation must be able to maintain the API keys including listing and invalidating them.