Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-604

Grant users synced from identity providers via SCIM application access by default

XMLWordPrintable

    • 797

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem Definition

      When User Provisioning is enabled in the identity provider, created users through push group from the IdP are just added to the synced group in the Cloud site and not to the default application access group(s).

      This creates a problem when the Cloud instance has a lot of existing projects/spaces with access already granted to default app groups.

      Workarounds

      There are currently a few possible workarounds for admins:

      1. The admin(s) would need to manually grant synced IdP groups access to existing Jira projects / Confluence spaces OR manually add the users to the default app group on Atlassian side. Which is a time-consuming process if there are a lot of projects/spaces in the instance.
      2. RECOMMENDED: The admin(s) would need to configure the synced group from the IDP to grant product licenses and permissions with the same configuration as the default group (can be time-consuming depending on how many places the default group has been given access to).
      3. The admin(s) can configure the Approved Domain settings (see the Approved Domain support doc), to allow users with their email domain to get access to the necessary products as needed. These users will be put into the default product access groups.
      4. The out of the box default groups (such as jira-software-users-sitename) can be taken over by the IdP.
        1. Create a new group, e.g. default-jira-software-users-sitename, and make it the default group for your product.
        2. For the standard default group (e.g. jira-software-users-sitename), remove it as the default group for your product.
        3. Create a group in your IdP with the standard default group name (e.g. jira-software-users-sitename) and sync your users who need product access into this group.
        4. The group will be 'taken over' by your IdP, the users will sync from your IdP, but the project/space settings will be kept as is.

       

      In case additional support is required, please raise a ticket with Atlassian Support.

        1. Screenshot 2023-07-28 at 3.27.46 pm.png
          Screenshot 2023-07-28 at 3.27.46 pm.png
          127 kB

            [ACCESS-604] Grant users synced from identity providers via SCIM application access by default

            sean.stephenson@tundraoilandgas.com added a comment -

            vv this is the exact same problem we're having.   +1!  

            sean.stephenson@tundraoilandgas.com added a comment - vv this is the exact same problem we're having.   +1!  

            Jessica Hart added a comment -

            +1 on this feature or grant the ability to have nested groups.  Our synced groups could be children of the default built in groups.

            The current behavior is problematic because folks can 'onboard' themselves without being provisioned into the proper groups.  Our permission schemes are linked to the groups that sync.  So, when a user joins a product without being added to the correct company groups, their account sits in Atlassian default groups with no permission and we have to manually re-arrange group members.  THANKS!

            Jessica Hart added a comment - +1 on this feature or grant the ability to have nested groups.  Our synced groups could be children of the default built in groups. The current behavior is problematic because folks can 'onboard' themselves without being provisioned into the proper groups.  Our permission schemes are linked to the groups that sync.  So, when a user joins a product without being added to the correct company groups, their account sits in Atlassian default groups with no permission and we have to manually re-arrange group members.  THANKS!

            Sami Shaik added a comment -

            As usual another long awaited "Gather Interest" ticket.

            Sami Shaik added a comment - As usual another long awaited "Gather Interest" ticket.

            Isai Navarro added a comment -

            https://getsupport.atlassian.com/browse/CES-62798

            Isai Navarro added a comment - https://getsupport.atlassian.com/browse/CES-62798

            Kieren _SmolSoftware_ added a comment - - edited

            We've released an app to fix this issue, Admin Automation, and to solve other challenging and time consuming admin tasks. The app will sync users from any groups (e.g. a group from an IdP) into the default product access groups.

            Hopefully it can help some of the people on this thread!

            -Kieren
            Co-Founder @ Smol Software | Ex-Atlassian

            Kieren _SmolSoftware_ added a comment - - edited We've released an app to fix this issue, Admin Automation , and to solve other challenging and time consuming admin tasks. The app will sync users from any groups (e.g. a group from an IdP) into the default product access groups. Hopefully it can help some of the people on this thread! -Kieren Co-Founder @ Smol Software | Ex-Atlassian

            Brandon Viertel added a comment -

            #3 (Adding to Approved Domains) will NOT work unless the user logs into the portal.

            We really need to have default Customer access for all synced accounts and shouldn't rely solely on a synced group to provided access. We manage over 250,000 accounts and highly limited by the group and user limits in Access. Our Atlassian support person has been awesome working with us so far on this, but we really need default access for all users synced from a directory. 

            Brandon Viertel added a comment - #3 (Adding to Approved Domains) will NOT work unless the user logs into the portal. We really need to have default Customer access for all synced accounts and shouldn't rely solely on a synced group to provided access. We manage over 250,000 accounts and highly limited by the group and user limits in Access. Our Atlassian support person has been awesome working with us so far on this, but we really need default access for all users synced from a directory. 

            Greyson Mitchem added a comment -

            I'm working with support on this issue right now. Workaround #3 listed above does NOT work (it actually broke BEFORE I implemented SCIM)... users in approved domains are NOT being added to the default groups, nor are they granted access to the products.

             

            Greyson Mitchem added a comment - I'm working with support on this issue right now. Workaround #3 listed above does NOT work (it actually broke BEFORE I implemented SCIM)... users in approved domains are NOT being added to the default groups, nor are they granted access to the products.  

            Dan Goren added a comment -

            Can we get an ETA on this "feature"?

            Dan Goren added a comment - Can we get an ETA on this "feature"?

            Calvin Lee added a comment -

            +1 this needs to be a feature. I don't understand why we can't sync push groups to the built-in / existing groups to begin with. We are currently implementing Atlassian Access and because we had to create a new SCIM group for Confluence, we now have to figure out how we're going to add this new group to all our existing Spaces...

            Calvin Lee added a comment - +1 this needs to be a feature. I don't understand why we can't sync push groups to the built-in / existing groups to begin with. We are currently implementing Atlassian Access and because we had to create a new SCIM group for Confluence, we now have to figure out how we're going to add this new group to all our existing Spaces...

            Ahmed Karam added a comment -

            I'm trying to implement scim and want to make sure I'm understanding this point support told me. So I want to have IDP groups that I drop people in that would give access to each product separately as some users don't need access to Jira, or Confluence. 

             

            So if I'm understanding correctly, I could create a new default group for each and leave them empty, and have the same name on the IDP side as Atlassian for the actual group I want them added to even if it's not the default on the Atlassian side anymore.

            Would that work correctly? Users that have the Jira group would get Jira Access and Confluence group would have access to Confluence, just automating the access to remove human tasks a bit more.

            Ahmed Karam added a comment - I'm trying to implement scim and want to make sure I'm understanding this point support told me. So I want to have IDP groups that I drop people in that would give access to each product separately as some users don't need access to Jira, or Confluence.    So if I'm understanding correctly, I could create a new default group for each and leave them empty, and have the same name on the IDP side as Atlassian for the actual group I want them added to even if it's not the default on the Atlassian side anymore. Would that work correctly? Users that have the Jira group would get Jira Access and Confluence group would have access to Confluence, just automating the access to remove human tasks a bit more.

              e902c0832f88 Sudesh Peram
              vvisanakarrala Veera (Inactive)
              Votes:
              312 Vote for this issue
              Watchers:
              297 Start watching this issue

                Created:
                Updated: