Inactive User Cleanup

Powerful user management

Combining User Cleanup with Just-in-time user provisioning gives you a powerful user management. When a user hasn’t been active for a while, they are deactivated by the user cleanup schedule and won’t consume a license space. As soon as they’re back and log in with SAML or OpenID Connect, their account will be reactivated. It’s all automated and as soon as it’s configured, you won’t have to do anything. Just-in-time user provisioning also creates new accounts for new employees logging in for the first time.

User cleanup offers an excellent tool to keep the amount of licenses under control. It also offers a security benefit during offboarding. As soon as the user is removed from the central user directory at the identity provider, their account will also be deactivated in Atlassian after a while due to the Kantega SSO User Cleanup.

Configure user cleanup to optimize your license usage, by either deactivating the user, or by removing the user from the licensing group. Typically the group jira-software-users grants access to jira software licenses. You can configure the requirement of user activity in the cleanup, as in the last time they logged in.

Configure User Cleanup

image-20240220-101742.png

Settings

  1. Select Common, Inactive User Cleanup in the KSSO menu to open the user cleanup dialog.

    image-20240220-103401.png
  2. Choose whether you want to deactivate users or remove users from a licensing group.

  3. Configure the requirement of user activity in the cleanup, as in the last time they logged in.
    In the above example we have chosen 3 days. You may also check last logged in for several days, weeks or months based on the suitable use case in your organization.

  4. If you choose to Remove access to local group then users will be removed from the given group. If the user is included in other groups they will not be touched. This means if the group to be removed from is 0not the licensing group the user will still be active.

    While cleaning up users, you also want to make sure that certain users are not cleaned, even if they haven't logged in for a while. Admin accounts should not be cleaned for example, because then you might lose system access. Exceptions can be configured based on group memberships or user directories.

  5. To verify which users will be affected by your setup, you may run an analysis. You will then get a prognosis of the cleanup. In this prognosis you may pick users manually and remove from group/disbled by using the respective Action button.

  6. Click Run user cleanup to perform the configured cleanup. You will be prompted to confirm the run before the job starts.

     

  7. After the job is finished, cleanup results are found in the log . A log file will also be created in the kerberos folder; <atlassian_home_folder>/kerberos/userCleanupLogs.

Schedule

Avoid all manual hassle by configuring a schedule that automatically handles all the user cleanup . The schedule comes with a wide range of time intervals you can fit to your specific needs.

Analyse job result

Before activating the cleanup schedule, you may run an analysis to verify that your schedule gives the expected result, and that it won’t affect unintended users. For example, if users are away during holidays, one week’s cleanup interval might be too short.

Activate Cleanup schedule

Activate Cleanup schedule when you are happy with the configuration. Te job will start at the the time shown in the Next cleanup field.

 

Log

The 5 latest user cleanups are shown in teh log screen.

A log file will also be located in the kerberos folder; <atlassian_home_folder>/kerberos/userCleanupLogs.