User & GroupsUser & Groups
Try For Free

Cleanup Inactive Users

With the Cleanup Inactive Users connector, you can as an example deactivate users that have not logged in for a certain amount of time. One very strong use case where the connector can help is when you use Just-in-Time provisioning as your user provisioning method. Using this method, you have no way to provide the information to your application that a user was deactivated or deleted on the Identity Provider side. The Cleanup Inactive Users connector helps you reduce the number of users on your Atlassian license.

In case a user was deactivated due to long inactivity but still requires access to your application, you can automatically activate the user account again upon SSO login. You find the configuration in our SAML Single Sign On plugin → Identity Provider → User Creation and Updates, and it is activated by default. Using the combination of the Cleanup Inactive Users connector in User Sync and the feature in our SAML Single Sign On plugin results in a seamless experience for your users and cost savings for your instance.


Since User Sync version 2.1 (SAML SSO 5.1) the connector is called Cleanup Inactive Users connector and not Disable Inactive Users anymore. The name change was done to reflect the features (the possibility to configure different Cleanup Behaviors). 

Admins and Sysadmins will not be deactivated.


Cleanup Inactive Users connector configuration

  • Navigate to the User & Group Sync configuration page and add a new Cleanup Inactive Users connector.

cleanup_inactive_users
cleanup_inactive_users

You will be in the Cleanup Inactive Users Specific Settings section, now you can edit different settings.

    1. Choose a directory in which to disable inactive users

    2. Choose after how many days (since the last log-in) to mark users as inactive

      1. Note: If you choose a directory that is synchronized from User & Group Sync, disabled users will be reactivated upon the next synchronization.

    3. Decide if users that have never logged in should be disabled or not. By default, this option is not checked.

ciu_specific_settings
ciu_specific_settings

Next to Cleanup Inactive Users Specific Settings you should have a look at Sync Settings. Here, you see the different Cleanup behavior options. The default is to disable users which is the suitable method for mostly all use cases. Nevertheless, please see below the different options.

cleanup_behaviour
cleanup_behaviour

User Sync give you the possibility to do the following cleanup behaviors:

  • Disable Users
    Users get deactivated, just like Atlassian recommends. Doing this saves licenses and retains the ticket history, as the user still exists.

  • Delete Users
    Users get deleted. We do not recommend this option, which has important consequences, e.g., for assigned tickets or user comments.

  • Anonymize Users (reversible)
    Username, email, and full name are anonymized. Since the IdP user ID (e.g., azure_ID) is still assigned to the users, this can be undone to rename users with their original names.

  • Keep Users Without Modification
    Users are not changed by the cleanup behavior.

The default behavior is to disable users (as Atlassian recommends). When you change the cleanup behavior, you will need to do a Save and Return. This will save and enable the new configuration. If you run a full Sync, the new cleanup behavior will be used and affect all matched users.


Using the Scheduled Synchronization makes the connector run periodically. That way everything runs automatically in the background:

Please switch the toggle Scheduled Synchronization to enable or disable the regular schedule. Now, you can edit the Cron Expression, which will define when the next sync will run. You can also decide how many sync results should be kept Results to keep (older results will be removed when a new sync starts). You can change it to a value, which match the customer requirement (there is no limitation from User Sync. The configuration field is an int (data type), so the limitation from the system is usually 2147483647).

Please keep in mind, that too high values (resultsToKeep) can lead to an impairment of the performance (database).


CleanShot 2022-05-10 at 14.54.01@2x.png

If you click on the pencil to edit the Cron Expression, you can use the Cron Expression Builder


CleanShot 2022-05-10 at 14.43.00@2x.png

Or, if you want, you can add a Cron Expression directly.

CleanShot 2022-05-10 at 14.43.25@2x.png

After you change the Scheduled Synchronization, you need to do a Save and Return. This will save and enable the new configuration.

Please note:

  • Synchronization time differs based on your user base

    • small instance (up to 1,000 IdP Users) runs a full sync once an hour

    • larger instances (up to 10,000 IdP Users) runs a full sync once a day (overnight)

    • enterprise instances (more than 10,000 Users) runs a full sync once a week

  • Our SAML SSO plugin will always do a Single User Sync. So, if the user does not exit, the user will be added or modified.

  • The full sync is more or less just to make sure we can disable deleted users and to make sure everything is fresh up with information.



If you run into problems, do not hesitate to contact our support.


This site uses cookies to deliver its service & to analyse traffic. By browsing this site, you accept the privacy policy.

Our Wiki uses cookies

We want to give you the best possible experience on our website. For this we use technically required cookies and, if you agree, cookies for analysis and marketing purposes. You can find more information about the cookies in our Privacy Policy. By tapping ‘Accept All,’ you consent to the use of these methods by us and third parties.

Necessary
Always Active
Analytics
Advertisement
Other