Inactive User Cleanup

Owned by Elias Brattli Sørensen
Last updated: Apr 23, 2024 by August Heltne
4 min read

Powerful user management

Combining User Cleanup with Just-in-time user provisioning gives you a powerful user management. When a user hasn’t been active for a while, they are deactivated by the user cleanup schedule and won’t consume a license space. As soon as they’re back and log in with SAML or OpenID Connect, their account will be reactivated. It’s all automated and as soon as it’s configured, you won’t have to do anything. Just-in-time user provisioning also creates new accounts for new employees logging in for the first time.

User cleanup offers an excellent tool to keep the amount of licenses under control. It also offers a security benefit during offboarding. As soon as the user is removed from the central user directory at the identity provider, their account will also be deactivated in Atlassian after a while due to the Kantega SSO User Cleanup.

Configure user cleanup to optimize your license usage, by either deactivating the user, or by removing the user from the licensing group. Typically the group jira-software-users grants access to jira software licenses. You can configure the requirement of user activity in the cleanup, as in the last time they logged in.

Configure User Cleanup

image-20240423-134034.png

 

Settings

  1. Go to user cleanup through either Kantega SSO → Common → Inactive user cleanup or Kantega SSO → User cleanup as shown in the picture above. This opens the user cleanup dialog shown below:

    image-20240423-132408.png

     

     

  2. Choose whether you want to deactivate users or remove users from a licensing group.

    1. If you want to remove access to a local group you can also select which group to clean:

  3. Configure the requirement of user activity in the cleanup, as in the amount of days since the last time they logged in. In the example below, we have chosen 3 days, but you can easily configure it to clean both more or less frequently depending on your requirements.

  4. If you choose to Remove access to local group then users will be removed from the given group. The user cleanup only affects group membership related to the chosen group, and will not remove any other group memberships. This means if the group to be removed from is not the licensing group the user will still be active.

    While cleaning up users, you also want to make sure that certain users are not cleaned, even if they haven't logged in for a while. Admin accounts should not be cleaned for example, because then you might lose system access. Exceptions can be configured based on group memberships or user directories.

  5. To verify which users will be affected by your setup, you may run an analysis. You will then get a prognosis of the cleanup. In this prognosis you may pick users manually and remove from group/disabled by using the respective Action button.

  6. Click Run user cleanup to perform the configured cleanup. You will be prompted to confirm the run before the job starts.

     

  7. After the job is finished, cleanup results are found in the log . A log file will also be created in the kerberos folder; <atlassian_home_folder>/kerberos/userCleanupLogs.

Schedule

Avoid all manual hassle by configuring a schedule that automatically handles all the user cleanup . The schedule comes with a wide range of time intervals you can fit to your specific needs.

Analyse job result

Before activating the cleanup schedule, you may run an analysis to verify that your schedule gives the expected result, and that it won’t affect unintended users. For example, if users are away during holidays, one week’s cleanup interval might be too short.

Activate Cleanup schedule

Activate Cleanup schedule when you are happy with the configuration. The job will start at the the time shown in the Next cleanup field.

 

Log

The 5 latest user cleanups are shown in the log screen.

A log file will also be located in the kerberos folder; <atlassian_home_folder>/kerberos/userCleanupLogs.