Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to handle removed Users?

David Toussaint [Communardo]
David Toussaint [Communardo]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 10, 2012

Hi,

I am comming across this every now and than and it is a real PITA (imho)! If a user is deleted in JIRA (or no longer synced from the LDAP) working with jira is a mess. This can occure e.g. if someone leaves a company...

The following scenarios with removed users make me facpalm a lot:

  • removing the user form a project role -> exception (ui)
  • working with issues where said user is watcher -> exception (log)
  • editing shared filters and dashboards from those users -> exception (ui)
  • editing an issue where such a suer is author with having the right to modify the author -> can't safe the edit at all!
  • This list could go on and on and on...

Fur us we often have to remove users for different reasons and this usually done by removing them from the LDAP. How should we approach above stated problems? Or how would a process look like in order to avoid said problems?

Thanks and Cheers, David

Answer
Watch
Like # people like this
4597 views

3 answers

1 accepted

2 votes
Answer accepted
MatthewC
MatthewC
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 10, 2012

from my experience it is a PITA (never used that acronym before but I like it!), maybe even a RRPITA (a Right, Royal PITA)

First, I presume you've read these:

https://confluence.atlassian.com/display/JIRA/Managing+Users#ManagingUsers-Deactivatingauser

Editing issue after user deleted

https://confluence.atlassian.com/display/JIRAKB/Cannot+Edit+Issue+After+User+Has+Been+Deleted

How do we handle it? We periodically sweep the user database and have a script which checks if they are still in the LDAP server. if not, we remove all groups and add them to a marker group (Dead Accounts) and deactivate them. We also get reports from HR about leavers and the suport team does manual updates to reassign issues which are assigned to the dead account. becomes a bit more complex when they are project lead as well, you have to manually look for that.

The whole way user accounts is handled is a bit of mess but it's getting better in Jira 5.

View More Comments
David Toussaint [Communardo]
David Toussaint [Communardo]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 16, 2012

Yes, I know both ressources. The thing is, deactivating a user is not available when the user has just been excluded from the LDAP sync. So the process would be:

  1. "remove" (exclude from sync) user
  2. re-create user in internal directory
  3. deactivate user (on pre-jira 5.1: remove user from all groups and project roles)

Now one would be save, korrekt?

Like
Renjith Pillai
Renjith Pillai
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 16, 2013

Or isn't it just sufficient that the user is removed from the group which is used in the JIRA Users global permission. Sync can happen, the user will still come from LDAP, but is not active and won't count to license since he can't login.

Like
David Toussaint [Communardo]
David Toussaint [Communardo]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 19, 2013

@Renjith The problem is that the user is just beeing removed from Sync. There is no way for me to avoid this (higher power, say administrators are in charge). If that would not be the case, your proposed solution would be indeed sufficent.

Like
Renjith Pillai
Renjith Pillai
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 20, 2013

Ah ok, can understand. Otherwise you should be using Internal with LDAP authentication (Copy User on Login, Synchronise Group Memberships).

Like
Reply
1 vote
Dave C
Dave C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 20, 2013

If a user is deleted from the LDAP engine (typically Active Directory), when JIRA periodically synchronises (if using a connector) that user will be deleted in JIRA. As linked earlier, we recommend to deactivate users rather than deleting them as it can cause a number of problems in JIRA. You could workaround this with any of the following (this is also summarising from some earlier answers):

  1. Deactivate the user from the LDAP engine rather than delete them. This will prevent them logging in, however they would also need to be marked as deactivated in JIRA (either removing their groups or using the deactivate functionality). This does rely upon LDAP administrators deactivating rather than deleting.
  2. Use the Internal Directory with Delegated Authentication. This unfortunately will not offer periodic synchronisation, however you can copy across users/groups on first login.
  3. Add the user to the internal directory after they're deleted from the LDAP directory and remove all their groups. They would need a "dummy" email as well, one that doesn't error or JIRA can end up putting those errors into issues as comments.

View More Comments
David Luke
David Luke August 26, 2013

I am having this situation appear, as well. I am in a very large company (60K+ possible users in LDAP) and have no control/influence over the process for removing employees from LDAP.

So #1 won't work.

I use the LDAP diretory to manage my groups because those groups are used in other systems, as well (not just JIRA).

So #2 won't work.

Lastly, I don't know when a user is deleted unless I stumble upon one of his/her tickets and see the grayed user name. So since I don't know when users are deleted from LDAP, I can't do #3.

So #3 won't work.

Is their a #4? At a mininum, I'd like a filter (JQL statement) that flags these orphaned users to my attention. Then maybe I could manually do #3 or otherwise reassign.

Like
Reply
0 votes
Viktor Nedorezo
Viktor Nedorezov January 16, 2013

And what is the official decision?

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.