-
Suggestion
-
Resolution: Unresolved
-
44
-
At this moment, user provisioning sync all the users and groups to all the sites below the hierarchy in the Atlassian organization where it is setup.
This suggestion is to add flexibility and make it possible to configure which users and groups you want to be mapped to specific sites instead of having all to all mapping.
Example of scenario:
A company has an organization with multiple sites and want each of them to have only a subset of the user provisioned users and groups being synced into each site.
[ACCESS-1164] Ability to sync users to sites based on the groups
We are a large organization with multiple affiliate companies. Because in our industry we have certain "business firewall" rules we must to adhere to, this issue could prevent us from bringing those firewalled divisions on to Atlassian products and cause us to seek a solution with better control.
We've just moved to an Access subscription and an identity provider SCIM sync, with 14 sites and thousands of centralised users. This new behaviour is quite an annoyance for the existing site admins who have small instances. Previously, their user admin UI would show just those users licensed for the site. It now shows them thousands of users from across the business, all being automatically granted site access (even though most of them will never be granted product access).
I'm strongly in favor of implementing the proposed capability to map users to specific sites
Enabling user access to be defined at the site level, rather than to all sites, allows admins to tightly align access to business needs. Users can be provisioned for only the specific resources required for their role. This will improves security and prevents over provisioned access.
Lacking this feature is a privacy issue. Consider a large publisher who has several different studios under their license. A site admin at Site A being able to see the email accounts for other Sites could break NDAs and cause a media leak. If someone discovers that Site B has a bunch of @epic.com email address with access to that site, then it's a pretty easy assumption that Site B is working on a game in the Unreal Engine. That is unacceptable to most Studios. Not to mention there's no data hygiene under this model. If a new Site misconfigures their AAD sync as part of the onboarding and syncs their entire Directory instead of the prefilled access groups, now each site could potentially have THOUSANDS of unnecessary records clogging up the system and causing UI overload for Site admins with no control over that addition.
I would suggest under Site access or Product access at the site level you add a feature.
Sync all users and groups from User provisioning Directory
Sync existing Users in site with User provisioning Directory
For Jira Enterprise Plan and Atlassian Access customers that have multiple Jira Cloud sites there is a need to distribute the initial provisioning of a user at a customer organization level. Not all users need or should be given access to all sites. If users transition between the customer AD organization administration that should propagate to and sync with Atlassian Access.
Hello,
Any news on this topic?