Disable (and optionally delete) users after inactivity

[simonech]

Problem statement

When users leave an organisation (role change, contract end, termination, etc.), administrators are expected to disable or delete their accounts.

In practice, this step is sometimes forgotten. As a result:

• former users may still be able to log in
• dormant accounts remain a potential attack vector
• security risk increases over time without being visible

Proposed ideas

1. Disable users after inactivity

Introduce a configurable inactivity threshold:

• if a user has not logged in for X days, their account is automatically disabled
• administrators can re-enable the account if needed

2. Optional deletion after extended inactivity

Optionally, disabled users could be:

• automatically deleted after Y additional days of inactivity, or
• flagged for manual review before deletion

3. Smarter / adaptive inactivity detection (optional)

Beyond a fixed threshold, a more advanced approach could be considered:

• detect unusual inactivity patterns based on historical login behaviour
  (e.g. a user who logs in daily and suddenly stops for several weeks)

This could help identify accounts that are no longer actively used, while still allowing:

• temporary absences (holidays, sick leave)
• manual re-enablement when appropriate

4. Visibility in the UI

• Administrators should have clear visibility into:
  • why an account was disabled
  • when the last login occurred

Open discussion

This discussion can be used to:

• assess whether this belongs in core or as a package
• define reasonable defaults and safeguards
• discuss edge cases and UX implications

Note

This ticket was discussed within the Umbraco Security & Privacy Advisors group; I’m formalising it here to gather broader feedback.