Skip to main content

Cleaning up inactive user accounts

  • May 18, 2026
  • 0 replies
  • 3 views
josephinerohner
Community Manager

Here’s how to safely automate dormant-user clean-up with the Huwise Automation API.

💡 Strategic recommendations before you start

Before running any deletion script, we recommend setting clear rules to avoid revoking legitimate access:

  • Set a reasonable inactivity threshold: For a first clean-up, favor 12 to 24 months. A 90-day threshold can be too short for a data portal where some users only log in once or twice per year.
  • Segment your user populations: You can be stricter (e.g., 90 days) for invitations that were never activated, while staying more flexible with long-standing users.
  • Protect critical accounts: Always exclude from your filters administrators, editors (publishers), data managers (data stewards), and service/API accounts.
  • Notify your users: Send a reactivation email about 30 days before the deadline. This is a best practice and may also be required under GDPR.

🛠️ The automation workflow (best practices)

We recommend a 5-step approach to ensure data safety:

  1. Extract: Retrieve the full list of users via GET /users/.
  2. Filter locally: Identify dormant users using the last_login_at field (use joined_at if the user has never logged in).
  3. Validate (dry run): Export a CSV file for internal manual review before taking any action.
  4. Grace period: (Optional) Send the reactivation email.
  5. Execute: Revoke access via DELETE /users/{username}/.

📌 IMPORTANT

What “deletion” means: The API revokes access to your workspace and removes permissions/API keys, but it does not delete the user’s global Huwise account.

 

💻 Example script (Python)

To help you, here is the basic logic to implement for safe filtering:

# Excerpt of the recommended filtering logic
def is_protected(user):
    # Protection based on permissions and groups
    PROTECTED_PERMISSIONS = {"edit_domain", "manage_users", "manage_domain"}
    PROTECTED_GROUPS = {"admins", "publishers", "data-stewards"}

    perms = set(user.get("permissions", []))
    group_uids = {g.get("uid", "").lower() for g in user.get("groups", [])}

    if (perms & PROTECTED_PERMISSIONS) or (group_uids & PROTECTED_GROUPS):
        return True
    return False

(The full script generates a review CSV before switching the DRY_RUN variable to False.)

🔗 Useful resources

And you? What is your policy for cleaning up inactive accounts? Share your feedback in the comments!

Terms & ConditionsAccessibility statement
Huwise Terms & Conditions Cookie settings