Skip to main content

Cleaning up inactive user accounts

  • May 18, 2026
  • 1 reply
  • 13 views
josephinerohner
Community Manager
Forum|alt.badge.img+1

Here’s how to safely automate dormant-user clean-up with the Huwise Automation API.

💡 Strategic recommendations before you start

Before running any deletion script, we recommend setting clear rules to avoid revoking legitimate access:

  • Set a reasonable inactivity threshold: For a first clean-up, favor 12 to 24 months. A 90-day threshold can be too short for a data portal where some users only log in once or twice per year.
  • Segment your user populations: You can be stricter (e.g., 90 days) for invitations that were never activated, while staying more flexible with long-standing users.
  • Protect critical accounts: Always exclude from your filters administrators, editors (publishers), data managers (data stewards), and service/API accounts.
  • Notify your users: Send a reactivation email about 30 days before the deadline. This is a best practice and may also be required under GDPR.

🛠️ The automation workflow (best practices)

We recommend a 5-step approach to ensure data safety:

  1. Extract: Retrieve the full list of users via GET /users/.
  2. Filter locally: Identify dormant users using the last_login_at field (use joined_at if the user has never logged in).
  3. Validate (dry run): Export a CSV file for internal manual review before taking any action.
  4. Grace period: (Optional) Send the reactivation email.
  5. Execute: Revoke access via DELETE /users/{username}/.

📌 IMPORTANT

What “deletion” means: The API revokes access to your workspace and removes permissions/API keys, but it does not delete the user’s global Huwise account.

 

💻 Example script (Python)

To help you, here is the basic logic to implement for safe filtering:

# Excerpt of the recommended filtering logic
def is_protected(user):
    # Protection based on permissions and groups
    PROTECTED_PERMISSIONS = {"edit_domain", "manage_users", "manage_domain"}
    PROTECTED_GROUPS = {"admins", "publishers", "data-stewards"}

    perms = set(user.get("permissions", []))
    group_uids = {g.get("uid", "").lower() for g in user.get("groups", [])}

    if (perms & PROTECTED_PERMISSIONS) or (group_uids & PROTECTED_GROUPS):
        return True
    return False

(The full script generates a review CSV before switching the DRY_RUN variable to False.)

🔗 Useful resources

And you? What is your policy for cleaning up inactive accounts? Share your feedback in the comments!

1 reply

Guillaume Perrin-Fabre
Forum|alt.badge.img+2

On our end, we are reviewing twice a year our users. 

We wrote a google app script that fills a GSheet using the Automation API that extracts the list of users, then we

tick accounts without activity in the last 2 years and accounts not activated for the past year (cf. image)

and finally, we delete the selected accounts with the Automation API.

For the next review, we will also be looking at groups that have no users. 

    Terms & ConditionsAccessibility statement
    Huwise Terms & Conditions Cookie settings