-
Bug
-
Resolution: Not a bug
-
High
-
3
-
Severity 3 - Minor
-
Issue Summary
Provisioning users with certain application access does not add them to the default access groups for that application
Steps to Reproduce
- Provision a user from an external IDP. The user is part of a provisioned group that grants access to a certain application
Expected Results
If the user is granted access to that application (via the group membership), then the user should also be added to the default application access group for that application (jira-users or confluence-users by default)
Actual Results
The user is only part of the provisioned group, hence having access to the application, but not to the bits that are protected by additional permissions granted to the default access groups
Workaround
Manually adding each user to the default application access group
- duplicates
-
ACCESS-604 Grant users synced from identity providers via SCIM application access by default
- Gathering Interest
- relates to
-
- Closed
- mentioned in
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
[ACCESS-1767] Provisioning users with certain application access does not add them to the default access groups for that application
SCIM rep here
This is expected behavior in SCIM's perspective/scope since SCIM does not modify default access groups. There must be a different flow for this.
Scott Howard / Gavin Teichman - Unfortunately, there's still no solution within admin.atlassian.com. But there is an app being developed to solve this issue along with ACCESS-604. It'll be launched as a closed beta in mid December 2023, and publicly on the Atlassian Marketplace in January 2024. Check out smolsoftware.com if you're interested in the beta.
-Kieren
Co-Founder @ Smol Software | Ex-Atlassian
@scott Howard. if you are using scim. you just assign that scim group to the product in product access under the relevant site to get access automatically upon group assignment or user provisioning. the issue with this is if you were using the default access group on for permissions on anything in the apps themselves. we had to go into 2,000 projects and assign the new scim group permissions. i didnt have time to learn the rest api but it can do it too i believe.
if you are not using scim then assigning a user product access either directly or assigning a group they are a member of it should add them to that default access group.
rest api can do this as well
We recently migrated to Confluence Cloud and are having to manually add hundreds of users to Confluence. This is absurd that they are not automatically added to the default access group and automatically are able to consume a license without an admin having to do so.
any other work around other than changing perms? I'm always chasing users and adding the default groups to IDP users
It is definitely bug. We need this feature ASAP. Workaround is not suitable for us.
It's disappointing that this ticket has been closed. We've released an app to fix this issue, Admin Automation, and to solve other challenging and time consuming admin tasks. The app will sync users from any groups (e.g. a group from an IdP) into the default product access groups.
Hopefully it can help some of the people on this thread!
-Kieren
Co-Founder @ Smol Software | Ex-Atlassian