Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-604

Grant users synced from identity providers via SCIM application access by default

XMLWordPrintable

    • 736
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem Definition

      When User Provisioning is enabled in the identity provider, created users through push group from the IdP are just added to the synced group in the Cloud site and not to the default application access group(s).

      This creates a problem when the Cloud instance has a lot of existing projects/spaces with access already granted to default app groups.

      Workarounds

      There are currently a few possible workarounds for admins:

      1. The admin(s) would need to manually grant synced IdP groups access to existing Jira projects / Confluence spaces OR manually add the users to the default app group on Atlassian side. Which is a time-consuming process if there are a lot of projects/spaces in the instance.
      2. RECOMMENDED: The admin(s) would need to configure the synced group from the IDP to grant product licenses and permissions with the same configuration as the default group (can be time-consuming depending on how many places the default group has been given access to).
      3. The admin(s) can configure the Approved Domain settings (see the Approved Domain support doc), to allow users with their email domain to get access to the necessary products as needed. These users will be put into the default product access groups.
      4. The out of the box default groups (such as jira-software-users-sitename) can be taken over by the IdP.
        1. Create a new group, e.g. default-jira-software-users-sitename, and make it the default group for your product.
        2. For the standard default group (e.g. jira-software-users-sitename), remove it as the default group for your product.
        3. Create a group in your IdP with the standard default group name (e.g. jira-software-users-sitename) and sync your users who need product access into this group.
        4. The group will be 'taken over' by your IdP, the users will sync from your IdP, but the project/space settings will be kept as is.

       

      In case additional support is required, please raise a ticket with Atlassian Support.

              ayang@atlassian.com Aneita
              vvisanakarrala Veera (Inactive)
              Votes:
              294 Vote for this issue
              Watchers:
              285 Start watching this issue

                Created:
                Updated: