Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket server: How to lock out a user safely without removing from user directory?

Marko Schröder
Marko Schröder January 3, 2019

Hi folks,

due to company security policies we have to ensure a safe lock out of users who left the company. On the other hand a simple deletion of the user is unwanted.

I run some tests and investigations. Removing an user from group shash-users seems not to be enough:

  1. only a new login attempt to web-ui is prevented. As long as the user stays logged in the user can continue using the Bitbucket server.
  2. ssh-based git activities seems not to be affected at all by removing user from shash-users

Conclusions:

  1. I see no safe approach to lock out an user from Bitbucket server immediately.
  2. To lock out a user safely it's needed to remove the user from group stash-users and remove all ssh keys of this user.

Questions:

  1. What are the best practise suggestions?
  2. How do you handle user management?
  3. Did I miss important details (or misunderstood the documentation)?

I highly appreciate every suggestion and answer.

Marko

Answer
Watch
Like Be the first to like this
523 views

1 answer

0 votes
Julius Davies [bit-booster.com]
Julius Davies [bit-booster.com]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 5, 2019

 

Are you using the LDAP integration?   If you disable the user in your LDAP (e.g., Microsoft Active Directory - right click on user object, click "disable" - something like that), I think Bitbucket Server picks that up pretty quickly and disables the user in Bitbucket.

The nice thing about this approach:  it's very easy to reactivate the user, and Bitbucket also picks up the LDAP reactivation very quickly (typically within 5 minutes I believe).

View More Comments
Marko Schröder
Marko Schröder January 7, 2019

Hi,

thank you for your answer. We are working on a LDAP integration. That creates some more questions (https://community.atlassian.com/t5/Bitbucket-questions/How-do-I-migrate-users-from-Bitbucket-server-internal-directory/qaq-p/973322) ;-)

I am curios how your LDAP integration works: Will a user be thrown out of Bitbucket web ui immediately, if you disbled the user in LDAP and run a LDAP-Bitbucket-sync? Does your LDAP integration also deletes possibly existing ssh keys of the user if user is disabled?

Best regards,
Marko

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security