Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-24937

When a user is deleted in AD or Crowd, JIRA could keep the user in JIRA as an inactive user

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      This issue supercedes CWD-2515. I have had a chat with Olli Nevalainen and we agreed that this is a good improvement request for the behavior of JIRA when a user is deleted from the AD side or from Crowd.

      Currently, the user would disappear from the JIRA user browser and will show up in gray color in the issues when he is the assignee of reporter. However, this may cause problems later on. I have witnessed one problem of it when retrieving SOAP remote issues which their assignee/reporter does not exist in JIRA due to him/her being deleted from LDAP/Crowd side. There may be more hidden problems about it.

      Deleting a user who matches any of this criteria was never possible from the UI:

      1. Assignee of any issue
      2. Reporter of any issue
      3. Lead of any project

      Thus, I have raised this improvement request to keep the user in JIRA even after being deleted from the external user management system, but as an inactive user (he/she will not be able to log-in anyway).

      Regards,
      Ali

            [JRASERVER-24937] When a user is deleted in AD or Crowd, JIRA could keep the user in JIRA as an inactive user

            Emanuel Y added a comment -

            Any plans for Jira Cloud ?

            Emanuel Y added a comment - Any plans for Jira Cloud ?

            Jonas Andersson added a comment - - edited

            REDACTED

            Jonas Andersson added a comment - - edited REDACTED

            Thanks, Mark. I'll check it out.

            Adhip Pokharel added a comment - Thanks, Mark. I'll check it out.

            apokharel

            You can see in our EAP Download page that we have already made a public beta for 6.1
            Expect to see a release candidate soon, and then the final some weeks after that...

            Mark Lassau (Inactive) added a comment - apokharel You can see in our EAP Download page that we have already made a public beta for 6.1 Expect to see a release candidate soon, and then the final some weeks after that...

            intersol

            I think that the only fix for this is to allow Jira to have "shadow-users" or phantom-unes, Jira must have a way to keep working even if the user vanished from the database…

            This is true. Even with the fix for this issue, it will still be possible for users to be deleted in certain circumstances (eg you can disable the LDAP user directory), as well as legacy data will exist with missing useres.
            I think you should raise bugs for any problems you see like the two you list.
            Link them to this issue, or add in comments and I will do my best to get them to the attention of the right people.

            Mark Lassau (Inactive) added a comment - intersol I think that the only fix for this is to allow Jira to have "shadow-users" or phantom-unes, Jira must have a way to keep working even if the user vanished from the database… This is true. Even with the fix for this issue, it will still be possible for users to be deleted in certain circumstances (eg you can disable the LDAP user directory), as well as legacy data will exist with missing useres. I think you should raise bugs for any problems you see like the two you list. Link them to this issue, or add in comments and I will do my best to get them to the attention of the right people.

            Hi Mark,

            Do you have any timeline for 6.1?

            Thanks

            Adhip Pokharel added a comment - Hi Mark, Do you have any timeline for 6.1? Thanks

            Here we are using Crowd with 4 Jira instances, maybe more in the future and I am aware that due to having a new middle tier it would be almost impossible to prevent the account from being removed from the outside system (crown in my case, but also applies identically if you use AD directly).

            I think that the only fix for this is to allow Jira to have "shadow-users" or phantom-unes, Jira must have a way to keep working even if the user vanished from the database… and still let you:

            • edit a ticket that has an invalid user as Assignee or Reporter
            • edit filters owned by this users and change the ownership

            Mainly I do think that this could be implemented by always instantiating an inactive/placeholder user by only having its username, even if this user does not exist in any of the directories.

            You cannot replace all these invalid users with a generic account because it will loose information and even worse, if the user was temporary removed from the external directory, he would loose everything and the database would be hugely affected: this happened several times, by accident or not.

            Sorin Sbarnea added a comment - Here we are using Crowd with 4 Jira instances, maybe more in the future and I am aware that due to having a new middle tier it would be almost impossible to prevent the account from being removed from the outside system (crown in my case, but also applies identically if you use AD directly). I think that the only fix for this is to allow Jira to have "shadow-users" or phantom-unes, Jira must have a way to keep working even if the user vanished from the database… and still let you: edit a ticket that has an invalid user as Assignee or Reporter edit filters owned by this users and change the ownership Mainly I do think that this could be implemented by always instantiating an inactive/placeholder user by only having its username, even if this user does not exist in any of the directories. You cannot replace all these invalid users with a generic account because it will loose information and even worse, if the user was temporary removed from the external directory, he would loose everything and the database would be hugely affected: this happened several times, by accident or not.

            We are using OpenLDAP, I will raise another request, hoping to have some answer. It seems that CWD-2762 asks the same thing, unfortunately without much attention so far.

            Fabio Coatti added a comment - We are using OpenLDAP, I will raise another request, hoping to have some answer. It seems that CWD-2762 asks the same thing, unfortunately without much attention so far.

            cova
            Which LDAP vendor do you use?
            JIRA v6.1 will include the ability to synchronise a user's enabled/disabled flag for Active Directory. See CWD-995 for details.

            For other vendors you should raise a separate feature request.

            Mark Lassau (Inactive) added a comment - cova Which LDAP vendor do you use? JIRA v6.1 will include the ability to synchronise a user's enabled/disabled flag for Active Directory. See CWD-995 for details. For other vendors you should raise a separate feature request.

            One small comment: on our installation, an user is never removed but the password is locked and the user inactivated, to keep references in logs and history as well.
            As we are using ldap+jira, this make impossible to have jira inactivate users locked on ldap stored information.
            It would be advisable to have Jira looking a specific field on ldap, say "inactiveuser" and if it set to true Jira will be proceed inactivating the user.

            Fabio Coatti added a comment - One small comment: on our installation, an user is never removed but the password is locked and the user inactivated, to keep references in logs and history as well. As we are using ldap+jira, this make impossible to have jira inactivate users locked on ldap stored information. It would be advisable to have Jira looking a specific field on ldap, say "inactiveuser" and if it set to true Jira will be proceed inactivating the user.

              mlassau Mark Lassau (Inactive)
              ajawad Ali Mohamed Jawad [Atlassian]
              Votes:
              68 Vote for this issue
              Watchers:
              83 Start watching this issue

                Created:
                Updated:
                Resolved: