User & Groups SyncUser & Groups Sync
Try For Free

.Cleanup Behaviour and Scheduled Synchronization

In this article, we will describe the Sync Settings from User Sync Cleanup Behaviour and Scheduled Synchronization. The Cleanup Behaviour is the last step in the full sync process and happens after all users have been synchronized from the IdP. The remaining users that already exist in the User Sync directory but were not returned by the IdP anymore will be handled according to the chosen Cleanup Method. The cleanup behaviour would be applied to users who:

  • got deleted in the IdP (e.g. Azure AD) and not returned anymore by the IdP → e.g. they left the company and the IdP-Team deleted the user

  • are not member of any required groups anymore → Required Groups

  • are dropped by a transformation in the attribute mapping → Group Transformations

With standard settings, these users are disabled (deactivated). 

Our recommendation would be to test the options in your test environment, before you do it in your production instance.

Instructions

Go to User Sync → Edit Connector → Sync Settings tab. There you can change the cleanup behaviour.

User Sync supports the following cleanup behaviours:

  • Disable Users (default behaviour)

    • Users get deactivated, just like Atlassian recommends

    • The user does still exist

      • Doing this saves licenses and retains the user history


  • Keep Users without modification

    • Users are not changed by the cleanup behaviour

  • Anonymize Users (reversible)

    • The following version must be matched if you want to use Anonymize Users (reversible): SAML Single Sign On >= 5.2.1 / User Sync >= 2.2.1

    • Already disabled users will also be anonymized

    • Username, email, and full name are anonymized

    • The user anonymization in User Sync currently works like this:

      • The user is renamed to user-XXX 

      • The email is changed to user-XXX@user.anon 

      • The fullname is changed to user-XXX 

      • The user is deactivated

      • The flag ATTR_IS_ANONYMIZED=true  is added to the user


    • Since the IdP user ID (e.g. azure_ID) is still assigned to the users, this can be undone to rename users with their original names.

  • Delete Users

    • Users get deleted

    • We do not recommend this option, which has crucial consequences, e.g., for assigned tickets or user comments

Scheduled Synchronization

The Cleanup Behaviour is getting triggered every time a full sync is performed. The full sync can be triggered manually by clicking Sync on the main User Sync configuration screen, or it can be scheduled to run periodically. The Scheduled Synchronization can be configured below the Cleanup Method. We would recommend combining the Cleanup Behaviour with the Scheduled Synchronization. An active scheduled synchronization will make sure the above criteria are checked regularly, hence the chosen cleanup behaviour will happen to users accordingly.

Please switch the toggle Scheduled Synchronization to enable or disable the regular schedule. Now, you can edit the Cron Expression, which will define when the next sync will run. You can also decide how many sync results should be kept Results to keep (older results will be removed when a new sync starts). You can change it to a value, which match the customer requirement (there is no limitation from User Sync. The configuration field is an int (data type), so the limitation from the system is usually 2147483647).

Please keep in mind, that too high values (resultsToKeep) can lead to an impairment of the performance (database).


CleanShot 2022-05-10 at 14.54.01@2x.png

If you click on the pencil to edit the Cron Expression, you can use the Cron Expression Builder


CleanShot 2022-05-10 at 14.43.00@2x.png

Or, if you want, you can add a Cron Expression directly.

CleanShot 2022-05-10 at 14.43.25@2x.png

After you change the Scheduled Synchronization, you need to do a Save and Return. This will save and enable the new configuration.

Please note:

  • Synchronization time differs based on your user base

    • small instance (up to 1,000 IdP Users) runs a full sync once an hour

    • larger instances (up to 10,000 IdP Users) runs a full sync once a day (overnight)

    • enterprise instances (more than 10,000 Users) runs a full sync once a week

  • Our SAML SSO plugin will always do a Single User Sync. So, if the user does not exit, the user will be added or modified.

  • The full sync is more or less just to make sure we can disable deleted users and to make sure everything is fresh up with information.