Currently Bitbucket does not immediately terminate active sessions (to the website or for active git operations) when a users permissions are removed.

Steps to Duplicate:

• User X is logged into Bitbucket and is browsing repositories, adding comments, etc.
• User X is removed from either Crowd, LDAP, AD, or even directly in Bitbucket
• Problem 1 is that if the user is LDAP or AD Bitbucket may not know about the permissions changing until a synchronization (by default 60 minutes)
• Problem 2 is that even after LDAP/AD synchronization, User X is not automatically logged out of Bitbucket and they are not prevented from accessing anything they had permission to access until they are required to login again (do to timeout or closing the browser).

Some industries that are highly regulated require the ability to immediately terminate access.

Some possible suggestions include:

• A page available to System Admins that shows all current sessions, with the ability to terminate sessions from the UI
• A REST API that could be called either manually or from LDAP to terminate sessions opened by a user whose permissions were removed