Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1905

Provide the ability to retroactively add Managed accounts to Authentication Policy when marked as default

XMLWordPrintable

    • 7

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      User Problem

      Making an Authentication Policy the 'Default Policy' automatically adds new users to its members but does not retroactively update the members of the policy to include Atlassian Accounts that were created before the policy was marked as default.

      This then makes it challenging to identify which Atlassian Accounts should be members of which policy, specially for the Authentication Policy that is linked to the Identity Provider configuration.

      For example:

      1. The organization has two Authentication Policies
        • Users in local directory
        • Users in <directory name>
      2. UserA was provisioned from IdP and an Atlassian Account was created for it
        • At the time the Atlassian Account was created none of the policies was the default for the IdP directory
        • Atlassian Account is a member of Users in local directory
      3. The administrators decide to link the Authentication Policy to their IdP configuration and also to make this the default policy to which new users are added by default
      4. UserB is provisioned after this
      5. Result:
        • UserA remains a member of the Users in local directory policy despite being synced from IdP and policy being marked as default for synced accounts
        • UserB is automatically added to Users in <directory name>

      Suggested Solutions

      After the IdP linked Authentication is made default, provide an option under Authentication Policies / Edit / Members in order to "Fetch members of IdP directory" that can retrieve all synced Atlassian Accounts as members of the appropriate policy.

      If multiple IdPs are present on the organization, the option should only apply to the Authentication Policy linked to the given IdP configuration

      Current Workarounds

      Manually updating policy members

            [ACCESS-1905] Provide the ability to retroactively add Managed accounts to Authentication Policy when marked as default

            SET Analytics Bot made changes -
            Support reference count Original: 6 New: 7
            SET Analytics Bot made changes -
            Support reference count Original: 5 New: 6
            SET Analytics Bot made changes -
            Support reference count Original: 4 New: 5
            Shawn C (Inactive) made changes -
            Link New: This issue duplicates ACCESS-1041 [ ACCESS-1041 ]
            Cole Norman made changes -
            Labels New: guard-s7
            SET Analytics Bot made changes -
            Support reference count Original: 3 New: 4
            SET Analytics Bot made changes -
            Support reference count New: 3
            Pablo Bastos made changes -
            Description Original: h3. User Problem
            Making an Authentication Policy the 'Default Policy' automatically adds new users to its members but does not retroactively update the members of the policy to include Atlassian Accounts that were created *before* the policy was marked as default.

            This then makes it challenging to identify which Atlassian Accounts should be members of which policy, specially for the Authentication Policy that is linked to the Identity Provider configuration.

            For example:
             # The organization has two Authentication Policies
             ** _Users in local directory_
             ** _Users in <directory name>_
             # UserA was provisioned from IdP and an Atlassian Account was created for it
             ** At the time the Atlassian Account was created none of the policies was the default for the IdP directory
             ** Atlassian Account is a member of _Users in local directory_
             # The administrators decide to link the Authentication Policy to their IdP configuration and also to make this the default policy to which new users are added by default
             # UserB is provisioned after this
             # Result:
             ** UserA remains a member of the _Users in local directory_ policy
             ** UserB is automatically added to _Users in <directory name>_

            h3. Suggested Solutions
            After the IdP linked Authentication is made default, provide an option under Authentication Policies / Edit / Members in order to "Fetch members of IdP directory" that can retrieve all synced Atlassian Accounts as members of the appropriate policy.

            If multiple IdPs are present on the organization, the option should only apply to the Authentication Policy linked to the given IdP configuration

            h3. Current Workarounds
            Manually updating policy members             		New: h3. User Problem
            Making an Authentication Policy the 'Default Policy' automatically adds new users to its members but does not retroactively update the members of the policy to include Atlassian Accounts that were created *before* the policy was marked as default.

            This then makes it challenging to identify which Atlassian Accounts should be members of which policy, specially for the Authentication Policy that is linked to the Identity Provider configuration.

            For example:
             # The organization has two Authentication Policies
             ** _Users in local directory_
             ** _Users in <directory name>_
             # UserA was provisioned from IdP and an Atlassian Account was created for it
             ** At the time the Atlassian Account was created none of the policies was the default for the IdP directory
             ** Atlassian Account is a member of _Users in local directory_
             # The administrators decide to link the Authentication Policy to their IdP configuration and also to make this the default policy to which new users are added by default
             # UserB is provisioned after this
             # Result:
             ** UserA remains a member of the _Users in local directory_ policy despite being synced from IdP and policy being marked as default for synced accounts
             ** UserB is automatically added to _Users in <directory name>_

            h3. Suggested Solutions
            After the IdP linked Authentication is made default, provide an option under Authentication Policies / Edit / Members in order to "Fetch members of IdP directory" that can retrieve all synced Atlassian Accounts as members of the appropriate policy.

            If multiple IdPs are present on the organization, the option should only apply to the Authentication Policy linked to the given IdP configuration

            h3. Current Workarounds
            Manually updating policy members
            Pablo Bastos made changes -
            Description Original: h3. User Problem
            Making an Authentication Policy the 'Default Policy' automatically adds new users to its members but does not retroactively update the members of the policy to include Atlassian Accounts that were created *before* the policy it was marked as default.

            This then makes it challenging to identify which Atlassian Accounts should be members of which policy, specially for the Authentication Policy that is linked to the Identity Provider configuration.

            For example:
             # The organization has two Authentication Policies
             ** _Users in local directory_
             ** _Users in <directory name>_
             # UserA was provisioned from IdP and an Atlassian Account was created for it
             ** At the time the Atlassian Account was created none of the policies was the default for the IdP directory
             ** Atlassian Account is a member of _Users in local directory_
             # The administrators decide to link the Authentication Policy to their IdP configuration and also to make this the default policy to which new users are added by default
             # UserB is provisioned after this
             # Result:
             ** UserA remains a member of the _Users in local directory_ policy
             ** UserB is automatically added to _Users in <directory name>_

            h3. Suggested Solutions
            After the IdP linked Authentication is made default, provide an option under Authentication Policies / Edit / Members in order to "Fetch members of IdP directory" that can retrieve all synced Atlassian Accounts as members of the appropriate policy.

            If multiple IdPs are present on the organization, the option should only apply to the Authentication Policy linked to the given IdP configuration

            h3. Current Workarounds
            Manually updating policy members             		New: h3. User Problem
            Making an Authentication Policy the 'Default Policy' automatically adds new users to its members but does not retroactively update the members of the policy to include Atlassian Accounts that were created *before* the policy was marked as default.

            This then makes it challenging to identify which Atlassian Accounts should be members of which policy, specially for the Authentication Policy that is linked to the Identity Provider configuration.

            For example:
             # The organization has two Authentication Policies
             ** _Users in local directory_
             ** _Users in <directory name>_
             # UserA was provisioned from IdP and an Atlassian Account was created for it
             ** At the time the Atlassian Account was created none of the policies was the default for the IdP directory
             ** Atlassian Account is a member of _Users in local directory_
             # The administrators decide to link the Authentication Policy to their IdP configuration and also to make this the default policy to which new users are added by default
             # UserB is provisioned after this
             # Result:
             ** UserA remains a member of the _Users in local directory_ policy
             ** UserB is automatically added to _Users in <directory name>_

            h3. Suggested Solutions
            After the IdP linked Authentication is made default, provide an option under Authentication Policies / Edit / Members in order to "Fetch members of IdP directory" that can retrieve all synced Atlassian Accounts as members of the appropriate policy.

            If multiple IdPs are present on the organization, the option should only apply to the Authentication Policy linked to the given IdP configuration

            h3. Current Workarounds
            Manually updating policy members
            Pablo Bastos made changes -
            Description Original: h3. User Problem
            Making an Authentication Policy the 'Default Policy' automatically adds new users to its members but does not retroactively update the members of the policy to include Atlassian Accounts that were created *before* the policy was created or marked as default.

            This then makes it challenging to identify which Atlassian Accounts should be members of which policy, specially for the Authentication Policy that is linked to the Identity Provider configuration.

            For example:
             # The organization has two Authentication Policies
             ** _Users in local directory_
             ** _Users in <directory name>_
             # UserA was provisioned from IdP and an Atlassian Account was created for it
             ** At the time the Atlassian Account was created none of the policies was the default for the IdP directory
             ** Atlassian Account is a member of _Users in local directory_
             # The administrators decide to link the Authentication Policy to their IdP configuration and also to make this the default policy to which new users are added by default
             # UserB is provisioned after this
             # Result:
             ** UserA remains a member of the _Users in local directory_ policy
             ** UserB is automatically added to _Users in <directory name>_

            h3. Suggested Solutions
            After the IdP linked Authentication is made default, provide an option under Authentication Policies / Edit / Members in order to "Fetch members of IdP directory" that can retrieve all synced Atlassian Accounts as members of the appropriate policy.

            If multiple IdPs are present on the organization, the option should only apply to the Authentication Policy linked to the given IdP configuration

            h3. Current Workarounds
            Manually updating policy members             		New: h3. User Problem
            Making an Authentication Policy the 'Default Policy' automatically adds new users to its members but does not retroactively update the members of the policy to include Atlassian Accounts that were created *before* the policy it was marked as default.

            This then makes it challenging to identify which Atlassian Accounts should be members of which policy, specially for the Authentication Policy that is linked to the Identity Provider configuration.

            For example:
             # The organization has two Authentication Policies
             ** _Users in local directory_
             ** _Users in <directory name>_
             # UserA was provisioned from IdP and an Atlassian Account was created for it
             ** At the time the Atlassian Account was created none of the policies was the default for the IdP directory
             ** Atlassian Account is a member of _Users in local directory_
             # The administrators decide to link the Authentication Policy to their IdP configuration and also to make this the default policy to which new users are added by default
             # UserB is provisioned after this
             # Result:
             ** UserA remains a member of the _Users in local directory_ policy
             ** UserB is automatically added to _Users in <directory name>_

            h3. Suggested Solutions
            After the IdP linked Authentication is made default, provide an option under Authentication Policies / Edit / Members in order to "Fetch members of IdP directory" that can retrieve all synced Atlassian Accounts as members of the appropriate policy.

            If multiple IdPs are present on the organization, the option should only apply to the Authentication Policy linked to the given IdP configuration

            h3. Current Workarounds
            Manually updating policy members

              kakash@atlassian.com Khalid Akash
              ca528a390f48 Pablo Bastos
              Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: