LDAP user deletion effect in Jira user base

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When using an external LDAP directory (such as Active Directory), deleting a user from LDAP or causing them to be no longer included in Jira's synchronization (for example, moving the user outside the configured base DN or changing the user filter to exclude them) will result in one of two possible outcomes: in Jira, the user will be either deleted or marked as inactive.

Even if the user performs actions in Jira, that may not be sufficient to keep the user in the Jira user database, as described below.

How removal from LDAP affects different users

A user removed from LDAP is marked as inactive in Jira if:

  • User is not duplicated in another User Directory

    • AND

  • The user is the assignee of at least one issue

    • OR

  • The user is the reporter of at least one issue

    • OR

  • The user has added at least one comment on an issue

Otherwise, the user will be deleted from Jira, even if any of the following applies:

  • User is duplicated in another User Directory

  • The user has added at least one work log entry to an issue

  • The user has voted on at least one issue

  • The user is watching or is a participant in at least one issue

  • The user has been mentioned in at least one comment on an issue

  • The user is the project lead of at least one project

  • The user has been selected in any user picker field in at least one issue

If you need to completely delete a user from Jira, even if Jira would have marked them as inactive above:

  • Jira 10.6.0 and newer, with the com.atlassian.jira.user.allowDeleteExternallyDeletedUsers feature flag enabled (default value):

    • remove the user from the Jira user management view

  • Jira versions previous to 10.6.0:

Example user deletion scenarios

Here, we've created a few users, then performed different actions in Jira. Afterwards, the users are deleted in LDAP. Our users are:

  • tempwithworklog: user that only sets worklog, vote, and watch an issue

  • tempwithoutissues: read-only user in the instance (no action was performed in Jira)

  • tempwithissues: user that reported and assigned issues

All three users appear in Jira's user list:

list of all three temp users in Jira's interface

And they appear in the database, in the cwd_user table:

all three temp users in Jira's database on the cwd_user table

Once they were removed from LDAP, we can observe only the tempwithissues user was kept and marked as inactive:

Jira interface user list only displaying user tempwithissues
Jira database cwd_user table only returning tempwithissues

Similarly, only users that left comments on issues are kept as inactive.

For more information on LDAP synchronization please refer to:

Updated on April 24, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryHow removal from LDAP affects different usersExample user deletion scenariosRelated topics:

Still need help?

The Atlassian Community is here for you.
Ask the Community