Using the User Deactivator

Jira

Navigate to the User management section and click on User Deactivator:

Confluence

In the administration section, scroll down to USERS & SECURITY and click on User Deactivator

Bulk User Operations - Filtering Users

Change multiple filter settings to narrow down the list of users you want to deactivate, reactivate or remove from groups.

These filters are:

  • Time Since Last Activity
  • Activity Status
  • In Group
  • Not In Group
  • Application Access
  • Search in Full Name, Username and Email

Select the users you want to change

Click the checkboxes of the users you want to bulk operate on and click on Choose Bulk Action

Choose operation

Pick one of the bulk user operation types and click on Next

Since version 4.1.0 you may now override the default protection to not deactivate/ remove from groups if

  1. the user is a component- or project lead of a project in Jira
  2. the user is a space admin in Confluence
  3. the user is a repository- or project admin in Bitbucket

Just check the box "Force destructive operations" before performing the bulk action.


Confirm your choice

Confirm your selection, you'll see a summary of the operation to be executed:

Wait for the operation to complete

Reviewing the Result

The result screen will show a summary of the operation again.

Automatic User Deactivation

User Deactivator can be configured to automatically deactivate users or remove them from groups instead.
To configure a rule for automatic deactivation, click on the "Automatic User Deactivation" tab.

After automatic user deactivation is enabled, User Deactivator will execute the rule 30 seconds after automatic deactivation is enabled or edited and saved again.
The rule will then be scheduled to run every 24 hour from that time. 

User Deactivator can be configured to automatically deactivate user

Configure automatic deactivation

Configure a rule that instructs User Deactivator to automatically deactivate users not active for a period of time, for example 1 year.
User Deactivator will then check for active users every 24 hours. If the last activity date of a user is one year old or more, the user will be deactivated.

Since version 2.1.x (Jira 7) and 3.1.x (Jira 8), the following changes and features have been introduced:

  • Email Address for receiving a report about the users modified during auto-deactivation has become optional
    • if none was provided, no summary report will be emailed

  • if User Deactivation Mode has been set to "Remove Users from Groups" and one or more group names have been selected,
    users will be removed from these groups instead of being deactivated
    • this feature is specifically intended for users who manage users of i.e. Confluence via their Jira directory
    • you could remove users from all groups starting with "jira" and "confluence" and would revoke their access for both Atlassian platforms that way
      • this would then also save Confluence licenses
      • please be aware of this being a specific setup of Jira/ Confluence with Crowd, it does not automatically apply for all Jira and Confluence installations

  • select one or more group names who's members would be excluded from deactivation or group removal 
    • exclude groups overrules the "Groups to remove", should you (accidentally) provide the same group names in both


automatically deactivate user

A user cannot be automatically deactivated or removed if:

  • the user is a system administrator or administrator

Since version 4.1.0 you may now override the default protection to not deactivate/ remove from groups if 

  1. the user is a component- or project lead of a project in Jira
  2. the user is a space admin in Confluence
  3. the user is a repository- or project admin in Bitbucket

Just check the box "Force destructive operations" before the Reporting section in the automatic deactivation

Expiration email to users

If you select an option other than "Don't send Email" under the "Days before sending expiration email to users" option,
users will receive a notification from 1-14 days prior deactivation or group removal, so that can login again, preventing that.

With "Don't send Email" selected, they would be deactivated on the next scheduled run, which occurs 30 seconds after
saving the rule, then again 24 hours later, for users matching the criteria configured.


The emails looks like below:

Warning about being removed from groups

Warning about being removed from groups

Warning about being deactivated

Warning about being deactivated

Email report of automatically deactivated users

If one or more users are automatically deactivated or removed from groups, an email report will be sent to the email address specified in the reporting section:

Email report of automatically deactivated users

The summary email looks as follows:

In case some users couldn't be deactivated because of an unexpected error, a second table in the report will indicate this.

Microsoft Active Directory

User Deactivator for Jira works as follows with different configurations of Microsoft Active Directory.

Jira configurationFunction
Read OnlyIf an attempt to deactivate a user in a read-only Active Directory, an error message Cannot edit user, as the user's directory is read only will appear. The user cannot be deactivated. 
Read Only with Local GroupsIf an attempt to deactivate a user in a read-only Active Directory, an error message Cannot edit user, as the user's directory is read only will appear. The user cannot be deactivated.
Read/WriteA user residing in a read/write Active Directory can be deactivated