Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1397

Sync group membership from local default group to synced group

    • 19
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      In a few scenarios, customers provide automated access to the user and the user gets added to the default product access group (Ex: confluence-users).

      The requirement here is to add those users to synced/provisioned groups as well. 

      As of now, the customer has to:

      1. Add user manually to AD group after it's added to default product access group.
      2. If it's Azure they have to wait for 40mins for the next provisioning cycle to run to sync this user.

      The suggestion here is to have some feature that removes this manual work. 

            [ACCESS-1397] Sync group membership from local default group to synced group

            In our instance we have enabled Self-sign-up which adds users to default product system groups jira-users and confluence-users, this conveniently enables our users (on trusted domains) to quickly gain access to Jira and Confluence via Self-sign-up, the only downside is that the default/system product groups to which they are added are cannot be synced with our IDP. Thus to ensure these users are in sync with IDP we have to subsequently manually transfer them from the system groups to groups with equivalent access that are provisioned from the IDP and are in sync with IDP, so that when those users leave and their accounts are disabled in the IDP, their Atlassian product access also gets removed automatically. The manual process of transferring users from system groups to provisioned groups is time consuming, it involves firstly adding user to the relevant IDP group, waiting for next incremental run of provisioning service (which in case of Azure AD is up to 40 minutes) then only when user shows as member of provisioned group can they be removed from the equivalent system group which enabled their access initially. Ideally this flow should be automated.

            Ivan Shtanichev added a comment - In our instance we have enabled Self-sign-up which adds users to default product system groups jira-users and confluence-users, this conveniently enables our users (on trusted domains) to quickly gain access to Jira and Confluence via Self-sign-up, the only downside is that the default/system product groups to which they are added are cannot be synced with our IDP. Thus to ensure these users are in sync with IDP we have to subsequently manually transfer them from the system groups to groups with equivalent access that are provisioned from the IDP and are in sync with IDP, so that when those users leave and their accounts are disabled in the IDP, their Atlassian product access also gets removed automatically. The manual process of transferring users from system groups to provisioned groups is time consuming, it involves firstly adding user to the relevant IDP group, waiting for next incremental run of provisioning service (which in case of Azure AD is up to 40 minutes) then only when user shows as member of provisioned group can they be removed from the equivalent system group which enabled their access initially. Ideally this flow should be automated.

              maho Matthew Ho (Inactive)
              20d8b956adca Jayant Suneja
              Votes:
              15 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated: