django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard
verified publisher icon DefectDojo

Bulk Delete Inactive Users (UI & API Support)

Open Hamudah opened this issue 6 months ago • 1 comments

Hi DefectDojo team,

First of all, thank you for providing and maintaining such a great platform—DefectDojo has been invaluable to our security workflow.

My name is Muhammed, and I work in a developer team that is currently rolling out DefectDojo company-wide across our enterprise. During this rollout we encountered a usability gap around user housekeeping that has become increasingly painful at our scale.

Is your feature request related to a problem? Please describe.

Yes.
As administrators we need to regularly remove accounts that are no longer active (e.g., employees who left the company or whose permissions were revoked).
Today each user must be:

  1. selected manually in Users,
  2. deleted individually, and
  3. confirmed in a separate dialog.

With dozens or hundreds of stale accounts this process is extremely time-consuming and error-prone.

Describe the solution you’d like

As an administrator, I want a bulk-cleanup mechanism so that I can quickly remove multiple inactive users in one action.

  • UI idea

    • Add multi-select check-boxes (or a “Select all matching” option) in the Users view.
    • Provide filters for “Last login before <date>” and “Is active = False” to identify stale accounts.
    • Offer a single Delete selected button with one confirmation dialog for the whole batch.

  • API idea

    • Expose an endpoint such as DELETE /api/v2/users/bulk that accepts a list of user IDs or a query parameter (e.g., ?inactive_since=2024-06-01) and deletes them in one call.
    • Return a summary of deletions (success / failures) for audit logging.

Either (or both) of these changes would make housekeeping a matter of seconds instead of hours.

Describe alternatives you’ve considered

  • Writing a custom script that calls the existing API and deletes users one by one
    • Works, but duplicates logic that could live in core and still triggers many individual delete calls.
  • Disabling instead of deleting
    • Mitigates risk but stale accounts still clutter views and reports.
  • Relying on LDAP/SSO de-provisioning
    • Helpful, yet former users remain in the database and UI until manually purged.

None of these options solve the underlying scalability issue within DefectDojo itself.

Additional context

  • DefectDojo version 2.46 behind corporate SSO (OIDC)
  • Typical user base: ≈3 000 accounts, of which 15–20 % become inactive each quarter

Thank you for considering this enhancement!

Hamudah avatar Jun 16 '25 12:06 Hamudah

Since most of the use cases we see are using SSO, we're unsure about adding a fully featured user management in the Open Source edition. The short term solution we're considering is allowing filtering on Last Login date via the API so that a simple script can cleanup users. What we usually see is that users are deactivated instead of deleted. Deleting users will/may result in removal of objects owned by that user.

Additionally a PR to do filtering and bulk deactivation via the UI would be welcomed from the community.

valentijnscholten avatar Jun 17 '25 19:06 valentijnscholten

https://github.com/DefectDojo/django-DefectDojo/pull/12640 Should help to quickly find the users that haven't logged in for a while.

valentijnscholten avatar Jun 19 '25 20:06 valentijnscholten

Hi valentijnscholten,

thanks a lot for the quick clarification!

Filtering on Last Login via the API sounds like a pragmatic first step, and bulk deactivation (rather than deletion) would already solve our day-to-day housekeeping pain without risking data loss. I’ll prototype a small script around the proposed filter once it lands.

Regarding the UI side: I’m happy to explore a community PR that adds

  • a filter for Last Login / Is Active,
  • multi-select checkboxes, and
  • a single Deactivate selected action.

Quick disclaimer: I’m fairly new in my developer role, so I’ll need some ramp-up time to see whether I can put together something useful—but I’m keen to give it a try. If you have any style or architectural guidelines I should follow (e.g., preferred viewset or component to extend), please let me know and I’ll align with them before opening the PR.

Thanks again for the guidance – I’ll keep you posted on progress.

Best regards Hadumah

Hamudah avatar Jun 20 '25 08:06 Hamudah

I missclicked and accidentally closed it as duplicate. Is it possible to undo that?

Hamudah avatar Jun 20 '25 08:06 Hamudah