Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-604

Grant users synced from identity providers via SCIM application access by default

XMLWordPrintable

    • 796

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem Definition

      When User Provisioning is enabled in the identity provider, created users through push group from the IdP are just added to the synced group in the Cloud site and not to the default application access group(s).

      This creates a problem when the Cloud instance has a lot of existing projects/spaces with access already granted to default app groups.

      Workarounds

      There are currently a few possible workarounds for admins:

      1. The admin(s) would need to manually grant synced IdP groups access to existing Jira projects / Confluence spaces OR manually add the users to the default app group on Atlassian side. Which is a time-consuming process if there are a lot of projects/spaces in the instance.
      2. RECOMMENDED: The admin(s) would need to configure the synced group from the IDP to grant product licenses and permissions with the same configuration as the default group (can be time-consuming depending on how many places the default group has been given access to).
      3. The admin(s) can configure the Approved Domain settings (see the Approved Domain support doc), to allow users with their email domain to get access to the necessary products as needed. These users will be put into the default product access groups.
      4. The out of the box default groups (such as jira-software-users-sitename) can be taken over by the IdP.
        1. Create a new group, e.g. default-jira-software-users-sitename, and make it the default group for your product.
        2. For the standard default group (e.g. jira-software-users-sitename), remove it as the default group for your product.
        3. Create a group in your IdP with the standard default group name (e.g. jira-software-users-sitename) and sync your users who need product access into this group.
        4. The group will be 'taken over' by your IdP, the users will sync from your IdP, but the project/space settings will be kept as is.

       

      In case additional support is required, please raise a ticket with Atlassian Support.

        1. Screenshot 2023-07-28 at 3.27.46 pm.png
          127 kB
          Kieren

            [ACCESS-604] Grant users synced from identity providers via SCIM application access by default

            SET Analytics Bot made changes -
            Support reference count Original: 795 New: 796
            SET Analytics Bot made changes -
            Support reference count Original: 794 New: 795
            SET Analytics Bot made changes -
            Support reference count Original: 793 New: 794
            Kat N made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 1015794 ]
            SET Analytics Bot made changes -
            Support reference count Original: 791 New: 793
            SET Analytics Bot made changes -
            Support reference count Original: 790 New: 791
            SET Analytics Bot made changes -
            Support reference count Original: 791 New: 790
            SET Analytics Bot made changes -
            Support reference count Original: 790 New: 791
            SET Analytics Bot made changes -
            Support reference count Original: 788 New: 790
            SET Analytics Bot made changes -
            Support reference count Original: 787 New: 788

              e902c0832f88 Sudesh Peram
              vvisanakarrala Veera (Inactive)
              Votes:
              312 Vote for this issue
              Watchers:
              297 Start watching this issue

                Created:
                Updated: