Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

De-activated Jira User Trying to Change Password

Hemanshu Sood
Hemanshu Sood August 14, 2018

Hi,

If a user is de-activated in jira and then tries to log into the application, the system says "Username/Password" incorrect.

But still he/she is able to change his password and trigger a password reset email by clicking on "Can't access my account"

Is there a way to disable it?

To summarize: A de-activated Jira user should not be able to change his/her password and Jira should throw a message stating your account is de-activated etc.

Answer
Watch
Like # people like this
426 views

1 answer

0 votes
Mirek
Mirek
Community Champion
August 14, 2018

I was always wondering if this is correct behavior or not. I had same thoughts, but then a realize that from the security point of view this is better than allowing someone to know which username exist in the database. If you would have different message it would be easily possible to get usernames (which are mostly emails). Same with emails. Then it is better to allow all than make an exception for disable users. But from the UI it is confusing, I agree.

View More Comments
Hemanshu Sood
Hemanshu Sood August 14, 2018

Hi @Mirek , cant we just remove "Can't access my account" for  inactive users from the UI?

So, even if a user is de-activated, he can try resetting his password 7- 8 times, get 7-8 emails and still cannot log in. This will just add to the confusion of a relatively new Jira user

Like
Mirek
Mirek
Community Champion
August 14, 2018

You can definitely remove "Can't access my account" for everyone by doing simple customization but not individual users (if not using Apache or NGINX where you can block/redirect specific URLs). This option is available before you log in and as I mentioned from the security point of view this is correct since someone cannot guess in anyway what usernames you have in your database.

I think a better approach is to send an email to user when he is actually deactivated. However mostly users are deactivated when they leave company. Is there any reason to deactivate an account for existing users? I can see only one if you would not count them towards thee license.

Anyway without reverse proxy, development or third party plugin blocking individual users is not possible. Just not sure if this is good approach.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security