BTW – sign-up to the blog is currently not working, so you cannot comment.
I’m trying to make our installation JIRA as self-supporting as possible. This means things like using SSO so there are no separate passwords for users to remember, and of course forget, and automatic creation of users on their first visit to jira. Of course, this is only possible for sites whose users are all internal.
Something else that we need to do is deactivate users who have left the firm. That’s not for security reasons, but to:
- keep the number of users in jira-users below the soft limit for the ajax user picker – 5000.
- help keep drop-down lists like assignee manageable, project managers won’t remember to update the roles for their project when someone leaves.
- keep tabs on which projects are active – eg if there are no projects admins for a project, perhaps it’s time to close that project down or assign someone else.
- and regularatory reasons – we need to confirm on a periodic basis that each user should still be members of their roles – the fewer the active users, the easier that is.
The logic is simple enough – for each user in jira-users, work out if the user should be retired, if so remove them from all groups and roles they are in.
I never delete them. Although from the Web UI you can delete them if they are not the reporter or assignee of any issues, I prefer not to.
How do you know if someone should be retired? In our case, I do an LDAP query against the user name. Leavers are moved to a node called RetiredUsers or something, so if their distinguishedName comes back with that in it, they’re considered to have left. I don’t think this is a “standard” though, so I’ve just left a stub in the script called userStillValid, which you would need to implement.
The script is then set to be run as a service by GroovyService. To get more control over when this is run, I set the service to run daily (every 1440 minutes), but the script bails out at the top unless it’s the first day of the month.