Skip to main content

Automatic user (de)provisioning in cloud

Overview

You can use this document as a technical guide if you need to deploy a license revocation process. The details listed here are purely technical, product agnostic, and may require some extra steps for your specific configuration.

Considerations

  • This method only removes users from a group. It does not delete them. All of the user history related to a de-provisioned user will be retained.
  • For this method, removing a user from a group is only applicable for cloud administrators that DO NOT have user provisioning enabled.
    • For cloud administrators that do have user provisioning enabled, removing users from groups will require engaging the Active Directory team.
  • Because we are not deactivating the user account, users that have had a product license revoked will still be able to access internal Jira Service Management projects as a "Customer."
  • It's best practice that only one group is used for product access (for example, the default <product-users> group)
    • If you have multiple groups that are used for product access, you’ll have to remove the user from every group they’re a part of that gives them product access.

Requirements

To get us started, we need a few pieces of information:
  • A user who is a product admin and an organization admin
  • The group-name that grants cloud users a license to the product
  • A list of users who belong to that group-name
  • Data about user activity in an organization
  • An "inactivity threshold" to determine if a user needs their license or not. See the Building the Standard section below for guidance on establishing this threshold.

Process

Let’s talk about how we gather those bits of information.

You need to be an organization admin to get the required information.

Gathering admin information

To get a list of product administrators:
  1. Go to your site's Admin at admin.atlassian.com. If you're an admin for multiple sites or an organization admin, select the site's name and URL to open the Admin for that site.
  2. Select Groups from the left side of the page.
  3. Select all groups that have a checkmark in the Product administration column.

The administrators and/or product-name-admins groups are set up with products by default when an instance is created; however, your organization may have added a custom group with product admin access.

To get a list of organization administrators:
  1. Log in to your organization at admin.atlassian.com.
  2. Select Settings > Administrators.
  3. Select Add administrators.

Gathering group licensing information

To find the groups that grant users a license to a specific product:
  1. Note all groups that have a checkmark in the Access to Product column.
    Automatic User (De)Provisioning in Cloud 1
  2. Using the API, get all users in those groups and export them to a CSV file.
    1curl --request GET \2 --url 'https://your-domain.atlassian.net/rest/api/3/group/member?groupname={groupname}' \3 --user 'email@example.com:<api_token>' \4 --header 'Accept: application/json'

Gathering user activity information

To find the date and time a user was last active in a product:
  1. Using the API, get all user activity within an organization and export it to a CSV file.
    1curl --request GET \2 --url 'https://api.atlassian.com/admin/v1/orgs/{orgId}/users' \3 --header 'Authorization: Bearer <access_token>' \4 --header 'Accept: application/json'
  2. Make specific note of the "last_active": "<string>" data that is returned for the product in question.
Note: You can also use some pre-written scripts to get all users with their last activity date from the Atlassian Community post called How to get all users within an organization and their last activity date via API.

Building the standard

At his point, you should have a list of every user that is currently provisioned a license to a product, with a date and time that they were last active in that product. Using your two CSV files, combine your data in a spreadsheet, joining on accountId.
Using this information, you can define an appropriate "inactivity threshold" to revoke licenses. This threshold can be anything from a week, to six months, to a year. It really depends on the client and their licensing needs.
To free up a license, all that is left to do is remove that user from the group or groups that grant them a license.

Removing users from group(s)

To remove a user from the group or groups that grant them a license:
  1. Using the API, remove the user from the group.
    1curl --request DELETE \2 --url 'https://your-domain.atlassian.net/rest/api/3/group/user?groupname={groupname}&accountId={accountId}' \3 --user 'email@example.com:<api_token>'

Next steps

It is recommended to script this data collection with license revocation process and have it run on a timely basis. How often it runs is, again, up to you.
It’s also worth mentioning that this entire process will be much simpler if you deploy a "gatekeeper" group. In short, a gatekeeper group has only one function: to provision a license to a single product. It is not used in Permission Schemes, Space Permissions, Issue Security, etc. It also implies that no other groups grant licenses to the product. This way, when you need to pull data about who has a license to what and modify that group membership, you are only dealing with a single group.
Additionally, a time will come when a user had their license pulled and needs it back. A product admin can do so by adding that user back to the appropriate group.

Was this content helpful?

Connect, share, or get additional help

Atlassian Community