Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1021

Provide ability to remove synced accounts and groups from the Directory through the UI

XMLWordPrintable

    • 207

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Current scenario

      In case you have an Atlassian Access subscription, you can create a SCIM integration to provision your users from your external Identity Provider. During the implementation phase, it's common to end up with duplicated accounts, as the mapping for SAML and SCIM can be different, and it's commonly needed to remove one account from the directory (on Atlassian side), to troubleshoot the duplication issue.

      Currently, the only way to perform this action is using the Deactivate a user REST API, which would delete the account from the directory, and deactivate it on Atlassian side. Then, Org admins are able to re-activate the account if needed. However, there isn't an easy way to perform this task on the UI, requiring admins to either rely on the API, or engage Atlassian Support to assist on the issue.

       

      Currently, if we want to Unlink Groups created in Atlassian via IDP (SCIM), we need to remove the SCIM/User Provisioning Configuration from the Organisation.

      The following API deletes the group from Atlassian instead on Unlinking it

      curl --request DELETE \
  --url 'https://api.atlassian.com/scim/directory/dir/Groups/gid' \
  --header 'Authorization: Bearer <access_token>'

      Proposed Solution

      Provide to Org admins the ability to remove accounts and groups (make mutable) from the directory on the Organisation UI, rather than requiring them to use the REST API or delete the SCIM configuration.
      – Provide the ability to remove a user from the SCIM directory without having to deactivate their account.
      – Provide the ability to unlink the site or organization group from the SCIM directory.

            [ACCESS-1021] Provide ability to remove synced accounts and groups from the Directory through the UI

            Christopher Lawrence added a comment -

            Please prioritise this request as it seems rather rudimentary to add a UI delete button specified by user selection. 

            I'm a little fed up spending valuable time running API calls to delete vast amounts of out of sync or 3rd party users not contained within our Azure tenant. 

             

            Christopher Lawrence added a comment - Please prioritise this request as it seems rather rudimentary to add a UI delete button specified by user selection.  I'm a little fed up spending valuable time running API calls to delete vast amounts of out of sync or 3rd party users not contained within our Azure tenant.   

            Josephine Lange added a comment -

            This feature would be incredibly beneficial. Just last week, we faced the task of rectifying some faulty provisionings, and our reliance on an Atlassian Admin was indispensable. While we appreciate the current option to disconnect users from SCIM via API, this method isn't practical for all Org-Admins since not every Admin possesses coding expertise yet should still have the ability to manage user and SCIM access.

            Josephine Lange added a comment - This feature would be incredibly beneficial. Just last week, we faced the task of rectifying some faulty provisionings, and our reliance on an Atlassian Admin was indispensable. While we appreciate the current option to disconnect users from SCIM via API, this method isn't practical for all Org-Admins since not every Admin possesses coding expertise yet should still have the ability to manage user and SCIM access.

            Hanna added a comment -

            +1

            Our customer also would like to improve this specification.

            If the operation can execute via REST API, I think that it should also work in UI.

            Hanna added a comment - +1 Our customer also would like to improve this specification. If the operation can execute via REST API, I think that it should also work in UI.

            Michael Scholz added a comment -

            + 101

            Michael Scholz added a comment - + 101

            Tama De Micheli added a comment -

            +100 

            Tama De Micheli added a comment - +100 

            Abdulmalik Ibrahim added a comment -

            +1

            Abdulmalik Ibrahim added a comment - +1

            Jack Sinclair added a comment -

            +1

            Jack Sinclair added a comment - +1

            ian.johnsen added a comment -

            +1

            ian.johnsen added a comment - +1

            konstantin.sigachev added a comment -

            Thank you, Patrick,

            It would be useful to have the ability to just unlink an existing group from IdP rather than remove it. Sometimes we want to keep the existing permissions that the group has in Confluence and Jira and just reassign it to a different IdP group.

            konstantin.sigachev added a comment - Thank you, Patrick, It would be useful to have the ability to just unlink an existing group from IdP rather than remove it. Sometimes we want to keep the existing permissions that the group has in Confluence and Jira and just reassign it to a different IdP group.

            Ramon M added a comment -

            https://getsupport.atlassian.com/browse/PCS-105965

            • Provisioned on the wrong email address.

            Ramon M added a comment - https://getsupport.atlassian.com/browse/PCS-105965 Provisioned on the wrong email address.

              df1442399d33 Krishna Turlapati Venkata
              edc026a7b429 Vitor A (Inactive)
              Votes:
              157 Vote for this issue
              Watchers:
              119 Start watching this issue

                Created:
                Updated: