Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1832

Unlink SCIM synced groups instead of deleting them when the group is removed/unassigned in the IDP

XMLWordPrintable

    • 16

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Current behaviour
      When a synced group is deleted or unassigned from the Atlassian Cloud app in the identity provider, SCIM provisioning will delete the group from the Atlassian organisation/site.

      This can be problematic if a group was unintentionally removed or unassigned due to either user error or an issue in the identity provider, as there is no way to restore the deleted groups and any product roles or in-product permissions assigned to the group.

      Proposed solution
      Instead of deleting the group in Atlassian, it may be safer to unlink the groups from being synced with the identity provider when they are removed or unassigned. This would be similar to how we de-provision users - we deactivate their Atlassian account instead of deleting it.

      Once unlinked, the groups are managed within the organisation and an admin can choose to delete them permanently as an additional step. Or the can reprovision the groups from the identity provider side.

      It could either be made the standard behaviour or a provisioning configuration option.

            [ACCESS-1832] Unlink SCIM synced groups instead of deleting them when the group is removed/unassigned in the IDP

            PJ Balsley added a comment -

            My SCIM provisioner had a bug and removed all users from groups, this in turn caused Atlassian to delete all of my groups that I sync from AD. ALL of my access and automation is build on these groups. I had to manually re-update everything.

            There should be an option to allow this behavior if you wish, or disable it.

            However in the past I believe this wasn't the case as I used to have to delete groups manually on Atlassian when I wanted to no longer use them.

             

            PJ Balsley added a comment - My SCIM provisioner had a bug and removed all users from groups, this in turn caused Atlassian to delete all of my groups that I sync from AD. ALL of my access and automation is build on these groups. I had to manually re-update everything. There should be an option to allow this behavior if you wish, or disable it. However in the past I believe this wasn't the case as I used to have to delete groups manually on Atlassian when I wanted to no longer use them.  

              Unassigned Unassigned
              914454cc4509 Alfred A
              Votes:
              13 Vote for this issue
              Watchers:
              21 Start watching this issue

                Created:
                Updated: