How to delete unwanted users?

Article ID:360030863472
3 minute readKnowledge base

Issue

  • We have seen users that we didn’t create or that are not part of our security realm. Where did they come from? Is it safe to delete them?

  • Employee has left the company but their user still shows up in People.

Environment

Resolution

As explained in "How People is managed by Jenkins?", CloudBees CI can create users on demand not only during authentication but for other reasons as well.

If you are counting and monitoring user licenses with the CloudBees User Activity Monitoring plugin, you can check a report to see if a user is "Authenticated" or "SCM"-only.

If not, you can try executing this script on "Manage Jenkins" -> "Script console". This script will generate a CSV output with the permissions, type of users, and notes. Depending on the Security Realm, notes can highlight users that cannot log in, hence, most likely created from SCM changesets.

If you check out source code from an SCM, Jenkins automatically creates local accounts that track the authors of commits to the SCM repo if those accounts do not already exist. Since usernames are likely to be the same across multiple SCM systems, as well as Jenkins itself, ideally, we end up with a single Jenkins user record that maps to all source code changes that person made. This enables features such as seeing all builds that contain code committed by a given user or emailing commit authors (based on their Jenkins user account email address) when a build fails. These auto-generated users are not in the Secure Realm, so they will not be able to log in and have no permission in Jenkins. If you later explicitly create a Jenkins account with the same username, this commit history data will be preserved and associated with that account.

Alternatively, you may have users that no longer use CloudBees CI or have left the company.

Administrators can delete such SCM or offboarded users, but Jenkins will recreate similar user records when/if the users show up as contributors again (e.g., SCM authors).

To delete those users, as an administrator, you can locate the user in People and use the Delete action on the user details page. Alternatively, you can run the below script from the Script Console, indicating the user name:

import hudson.model.User
def userIdOrFullName = 'UserToDelete'
User targetUser = User.get(userIdOrFullName, false, [:])
if (targetUser) {
    targetUser.delete()
    println "User '${targetUser}' was deleted."
} else {
    println "Couldn't find '${userIdOrFullName}'"
}

In case you are working with several Controllers connected to an Operation Center instead of a standalone Controller, you will need to run this script on every Controller so that the user can be removed from all the instances. To do so, you may need to create a Cluster Operation in your Operation Center and then add a step to run the above Groovy script in all the connected controllers. Once done, this will execute the script on each instance and remove the desired user from each Controller.

Please note that deleting a user will also remove the credentials and API tokens associated with that user, so ensure you are removing unknown or unnecessary users.