Kantega SSO EnterpriseUser Cleanup

User Cleanup

User Cleanup allows you to automatically keep your license management under control by disabling inactive users or remove users from the licensing group.


We offer customizable settings, to match the needs of your organization. You can configure inactive users to be deactivated or simply remove them from the licensing group:

If you choose to Remove access to local group then users will be removed from the given group. If the user is included in other groups they will not be touched. This means if the group to be removed from is not the licensing group the user will still be active.

To specify which users to be cleaned, select days since users loggged in. Users that have never logged in and are older than (created before) the selected number of days will be included.

You may also want to exclude some users from the user cleanup. For example, to avoid your admin user(s) being disabled, you can add groups exceptions for the respektive group(s).

There is also an option to exclude users from specific user directories by adding directory exceptions.

Test run

Before running the actual cleanup, you may run a test cleanup to verify that your setup makes sense, and that the user cleanup won’t affect unintended users.

The test results are highlighted in a list below, with a full log file in the kerberos folder; <atlassian_home_folder>/kerberos/userCleanupLogs.

Run user cleanup

Before the job starts, you are prompted to confirm the run.

A confirmation message is shown when the job is finished . You will find the cleanup results in the log.


Avoid all manual hassle by configuring a schedule that automatically handles all the user cleanup. The schedule comes with a wide range of time intervals you can fit to your specific needs.

Preview job result

Before activating the cleanup schedule, you may run a preview to verify that your schedule gives the expected result, and that it won’t affect unintended users. For example, if users are away during holidays, one week’s cleanup interval might be too short.

The test results are listed below, with a full log file in the kerberos folder.


Before activating the cleanup or schedule, the testrun or preview buttons let you get an idea of how many users are affected by the cleanup.

In addition you will find a log of the 5 last cleanups that happeneed in the Log tab.

Powerful user management

Combining User Cleanup with the existing tool Just-in-time user provisioning gives you a powerful user management. When a user hasn’t been active for a while, they are deactivated by the user cleanup schedule and won’t consume a license space. As soon as they’re back and log in with SAML or OpenID Connect, their account will be reactivated. It’s all automated and as soon as it’s configured, you won’t have to do anything. Just-in-time user provisioning also creates new accounts for new employees logging in for the first time.

User cleanup offers an excellent tool to keep the amount of licenses under control. It also offers a security benefit during offboarding. As soon as the user is removed from the central user directory at the identity provider, their account will also be deactivated in Atlassian after a while due to the Kantega SSO User Cleanup.