Inactive user cleanup
See usage guide below screenshot:
Powerful user management
Combining User Cleanup with Just-in-time user provisioning gives you a powerful user management. When a user hasn’t been active for a while, they are deactivated by the user cleanup schedule and won’t consume a license space. As soon as they’re back and log in with SAML or OpenID Connect, their account will be reactivated. It’s all automated and as soon as it’s configured, you won’t have to do anything. Just-in-time user provisioning also creates new accounts for new employees logging in for the first time.
User cleanup offers an excellent tool to keep the amount of licenses under control. It also offers a security benefit during offboarding. As soon as the user is removed from the central user directory at the identity provider, their account will also be deactivated in Atlassian after a while due to the Kantega SSO User Cleanup.
Configure user cleanup to optimize your license usage, by either deactivating the user, or by removing the user from the licensing group. Typically the group jira-software-users grants access to jira software licenses. You can configure the requirement of user activity in the cleanup, as in the last time they logged in.
Configure User Cleanup
Settings
Go to user cleanup through either Kantega SSO → Common → Inactive user cleanup or Kantega SSO → User cleanup as shown in the picture above. This opens the user cleanup dialog shown below:
Choose whether you want to deactivate users or remove users from a licensing group.
If you want to remove access to a local group you can also select which group to clean:
Set the user activity requirement for cleanup by specifying the number of days since their last login. In the example below, we chose 3 days, but you can adjust it to clean more or less often based on your needs.
If you choose to remove access to local group, users will be removed from that group. The user cleanup affects only memberships related to the chosen group and does not remove other group memberships. If the removed group is not the licensing group, the user remains active.
While cleaning up users, you also want to make sure that certain users are not cleaned, even if they haven't logged in for a while. Admin accounts should not be cleaned for example, because then you might lose system access. Exceptions can be configured based on group memberships or user directories.
To check which users your setup will affect, you may run an analysis. This provides a cleanup prognosis. You can then select users manually and remove them from groups or disable them using the Action button.
Start fetching live data from user directories (may take much longer time). When turned off, cached data is used.
Click Run user cleanup to perform the configured cleanup. You will be prompted to confirm the run before the job starts.
After the cleanup job is finished, cleanup results are found in the log. A log file will also be created in the kerberos folder; <atlassian_home_folder>/kerberos/userCleanupLogs.
Schedule
Avoid all manual hassle by configuring a schedule that automatically handles all the user cleanup . The schedule comes with a wide range of time intervals you can fit to your specific needs.
Analyse job result
Before activating the cleanup schedule, you may run an analysis to verify that your schedule gives the expected result, and that it won’t affect unintended users. For example, if users are away during holidays, one week’s cleanup interval might be too short.
Activate Cleanup schedule
Activate Cleanup schedule when you are happy with the configuration. The job will start at the the time shown in the Next cleanup field.
Log
The 5 latest user cleanups are shown in the log screen.
A log file will also be located in the kerberos folder; <atlassian_home_folder>/kerberos/userCleanupLogs.