UAA: inactive user disable/lockout

Michal Tekel


we are looking into automatically disabling inactive users (in uaa user
properties, set active: false). This is because over time we accumulated a
lot of accounts in our platform. Many users use it for prototyping and
might not need access after they are done or moved to another project.
Their accounts in the platform remain unused and increase potential attack
surface. We intended to inactivate users after 60 days of no activity, but
found it a bit non-trivial to achieve.

We have created a feature request with UAA:

In the meantime, we wonder if anyone from the community did something
similar in their deployments. How do you deal with accounts that are not
used for long time?

Thanks for any feedback,