With the Cleanup Inactive Users connector, you can as an example deactivate users that have not logged in for a certain amount of time. One very strong use case where the connector can help is when you use Just-in-Time provisioning as your user provisioning method. Using this method, you have no way to provide the information to your application that a user was deactivated or deleted on the Identity Provider side. The Cleanup Inactive Users connector helps you reduce the number of users on your Atlassian license.

In case a user was deactivated due to long inactivity but still requires access to your application, you can automatically activate the user account again upon SSO login. You find the configuration in our SAML Single Sign On plugin → Identity Provider → User Creation and Updates, and it is activated by default. Using the combination of the Cleanup Inactive Users connector in User Sync and the feature in our SAML Single Sign On plugin results in a seamless experience for your users and cost savings for your instance.


Since User Sync version 2.1 (SAML SSO 5.1) the connector is called Cleanup Inactive Users connector and not Disable Inactive Users anymore. The name change was done to reflect the features (possibility to configure different Cleanup Behaviors). 

Admins and Sysadmins will not be deactivated.


Cleanup Inactive Users connector configuration

  • Navigate to the User & Group Sync configuration page and add a new Cleanup Inactive Users connector.

cleanup_inactive_users

You will be in the Cleanup Inactive Users Specific Settings section, now you can edit different settings.

    1. Choose a directory in which to disable inactive users
    2. Choose after how many days (since the last log in) to mark users as inactive
      1. Note: If you choose a directory that synchronized from User & Group Sync, disabled users will be reactivated upon the next synchronization.
    3. Decide if users that have never logged in should be disabled or not. By default, this option is not checked.

ciu_specific_settings

Next to Cleanup Inactive Users Specific Settings you should have a look at Sync Settings. Here, you see the different Cleanup behavior options. The default is to disable users which is the suitable method for mostly all use cases. Nevertheless, please see below the different options.

The Sync Settings will help you to define the Cleanup Behavior.

cleanup_behaviour

User Sync give you the possibility to do the following cleanup behaviors:

  • Disable Users
    Users get deactivated, just like Atlassian recommends. Doing this saves licenses and retains the ticket history, as the user still exists.
  • Delete Users
    Users get deleted. We do not recommend this option, which has important consequences, e.g. for assigned tickets or user comments.
  • Anonymize Users (reversible)
    Username, email, and full name are anonymized. Since the Cleanup Inactive Users' user ID is still assigned to the users, this can be undone to rename users with their original names.
  • Keep Users Without Modification
    Users are not changed by the cleanup behavior.

The default behavior is to disable users (as Atlassian recommends). When you change the cleanup behavior, you will need to do a Save and Return. This will save and enable the new configuration. If you run a full Sync, the new cleanup behavior will be used and affect all matched users.

sync_cleanup_behavior


Using the Scheduled Synchronization makes the connector run periodically. That way everything runs automatically in the background:

Please switch the toggle Scheduled Synchronization to enable or disable the regular schedule. Now, you can edit the Cron Expression, which will define when the next sync will run, and you can decide how many sync results should be kept Results to keep (older results will be removed when a new sync starts).

If you click on the pencil to edit the Cron Expression, you can use the Cron Expression Builder


Or, if you want, you can add a Cron Expression directly.

After you change the Scheduled Synchronization, you need to do a Save and Return. This will save and enable the new configuration.

Please note:

  • Synchronization time differs based on your user base
    • small instance (up to 1,000 IdP Users) runs a full sync once an hour
    • larger instances (up to 10,000 IdP Users) runs a full sync once a day (overnight)
    • enterprise instances (more than 10,000 Users) runs a full sync once a week
  • Our SAML SSO plugin will always do a Single User Sync. So, if the users does not exit, the user will be added or modified.
  • The full sync is more or less just to make sure we can disable deleted users and to make sure everything is fresh up with information.


If you run into problems, do not hesitate to contact our support.