-
Suggestion
-
Resolution: Unresolved
-
19
-
In a few scenarios, customers provide automated access to the user and the user gets added to the default product access group (Ex: confluence-users).
The requirement here is to add those users to synced/provisioned groups as well.
As of now, the customer has to:
- Add user manually to AD group after it's added to default product access group.
- If it's Azure they have to wait for 40mins for the next provisioning cycle to run to sync this user.
The suggestion here is to have some feature that removes this manual work.
- duplicates
-
ACCESS-604 Grant users synced from identity providers via SCIM application access by default
- Gathering Interest
In our instance we have enabled Self-sign-up which adds users to default product system groups jira-users and confluence-users, this conveniently enables our users (on trusted domains) to quickly gain access to Jira and Confluence via Self-sign-up, the only downside is that the default/system product groups to which they are added are cannot be synced with our IDP. Thus to ensure these users are in sync with IDP we have to subsequently manually transfer them from the system groups to groups with equivalent access that are provisioned from the IDP and are in sync with IDP, so that when those users leave and their accounts are disabled in the IDP, their Atlassian product access also gets removed automatically. The manual process of transferring users from system groups to provisioned groups is time consuming, it involves firstly adding user to the relevant IDP group, waiting for next incremental run of provisioning service (which in case of Azure AD is up to 40 minutes) then only when user shows as member of provisioned group can they be removed from the equivalent system group which enabled their access initially. Ideally this flow should be automated.