Issue Summary
Missing log events:
- IDP synced user removed from the group at IDP deactivates the account. The user's group removal is logged in the audit log but the user's deactivation event is not logged.
- When a Managed account gets deactivated due to Atlassian's "Export Control - Compliance Policy", the user gets the following notification:
Dear Atlassian user, U.S. law prohibits Atlassian, an Australian corporation with offices in the United States, from providing you with access to our products and services. After analyzing the applicable lists of restricted parties maintained by the U.S. Government, we were unable to confirm that your name was not affiliated with a restricted party. If this is a case of misidentification, please reply with two different copies of official documentation to verify your identity. Official documentation includes, but is not limited to, a government-issued drivers license or identification card, passport, utility bill, mortgage or bank statement, etc. Please make sure your full name and address are clearly visible. We look forward to your reply. Sincerely, Atlassian
However, this data is not recorded in the Org Audit logs so it becomes difficult for the Org Admins to understand why the Account was disabled.
Steps to Reproduce
- Remove an IDP synced user from all IDP synced groups, this will deactivate the user
- deactivated account event is not logged in audit logs through the user's group membership removal is logged.
- is duplicated by
-
ACCESS-1195 Events not captured in Audit logs - user changes and IDP user removal
-
- Closed
-
-
ACCESS-863 Add details to audit log about changes of user's profile via Organisation UI
- Closed
-
- Closed
- is related to
-
- Closed
-
- Gathering Interest
- was cloned as
-
- Gathering Interest
[ACCESS-1129] Add audit log when IDP synced user is removed from group in idp
Hi everyone, as you are aware this ticket raises a request for two separate audit logs:
- When updates are made by an org admin to a managed user's account (e.g. name and email)
- IDP synced user removed from the group at IDP deactivates the account. The user's group removal is logged in the audit log but the user's deactivation event is not logged.
These areas are handled by two separate product teams internally so I have created a separate ticket here:
ID-8153 – Add org-level audit log when name or email change is made to a managed user
I am re-naming this ticket to reflect that it refers only to the IDP aspect of the original ticket.
Please let me know if you have any questions.
I've just ran into this at my company with one of our users. Stupidly frustrating as it triggered when we made changes to start using Atlassian Access. Thinking we had a problem with his account / the setup we wasted a lot of time debugging this.
Support came back with detail that they've been reached out to directly to provide personal documentation - which they in my opinion - correctly assumed was spam/phishing attempt. Ideally their account should "work" in a specific part of the product when deactivated, to remove email from their reactivation workflow.
There needs to be either an email fired to admins when a user is deactivated due to export control, as the quickest fix to at least let people know why, and as per this it needs to be flagged in the audit log. (e.g. user create failed - export control restriction see <link to documentation>), Better would be a banner at the top of the deactivated users account - stating it has been done by Atlassian, rather than the one currently which just states "Contact the user's organisation administrators to enable the account." - when we have no control to correct that.