Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-654

Add support for nested group handling in User Provisioning

XMLWordPrintable

    • 200
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Progress Update - Done!

      Hi Atlassian Community!

      I’m Matthew Ho, a Product Manager on the Enterprise Trust team. I’m excited to announce the general availability of Microsoft Azure Active Directory (AD) for nested groups. This custom integration supports flattening nested groups between Azure AD and Atlassian Cloud.

      Over the past few years, we’ve received requests to add support for nested groups in Atlassian Cloud. Even though we don't support nested groups, we do keep your group memberships when you sync nested groups. This helps you manage permissions and mirror your internal organizational structure. We recognize that some of our customers have faced challenges in moving from Server to Atlassian Cloud because of nested groups requirements. We created this integration to support our customers on their cloud migration journey. We recently completed our feature early access program (EAP) and now have many customers that are already using Azure AD for nested groups.

      Using this new integration, you can now retain your nested structure in your Azure AD directory and use a flattened structure in Atlassian Cloud!

      Looking to learn more about nested groups? We’ve published an article explaining nested groups. To learn more about Azure AD for nested groups, please read our documentation and how to set it up. If you already provision users from Azure AD using SCIM, and would like to switch to using Azure AD for nested groups, read the instructions here.

      Problem Definition

      Atlassian Access currently does not support nested group but there are identity service providers that supports and can user provision them. It would be good to support handling of user provisioned nested groups by flattening.

      If Nested Groups are being pushed in, the following message will be seen in the User Provisioning Troubleshooting Logs:

      Resource [GROUP] <Child Group ID> groupId cannot be added under other groupId <Parent Group ID>

      Example of a Nested Group in Azure AD:

      ref. Add or remove a group from another group - Azure Active Directory - Microsoft Docs

      Suggested Solution / Workaround

      At the moment, when a nested group is provisioned, the Child Groups and Members of the nested groups are not provisioned on Atlassian side. Flattening needs to be done on within the Identity Provider:

      Identity provider How it works Details and related links  
      Okta
      • These identity providers flatten nested groups when you import them from your user directory
      • You then connect any of them to Atlassian Cloud over SCIM and sync the flat structure
       
      PingFederate
      • These identity providers flatten nested groups when you import them from your user directory
      • You then connect any of them to Atlassian Cloud over SCIM and sync the flat structure
       
      OneLogin
      • These identity providers flatten nested groups when you import them from your user directory
      • You then connect any of them to Atlassian Cloud over SCIM and sync the flat structure
       
      Microsoft Azure Active Directory (Azure AD)
      • Atlassian created a custom integration for syncing users from Azure AD to Atlassian Cloud
      • The nested structure is flattened while syncing
      • You can’t flatten nested groups when connecting to Azure AD over SCIM
      Available as Early Access Program (EAP)  
      G Suite
      • G Suite supports nested groups
      • When syncing to Atlassian Cloud, you must select every group (parent and nested) separately in the sync settings. These groups will be synced as a flat structure.
      • Any group that isn’t selected won’t be synced and users will lose memberships in it.
       

            maho Matthew Ho (Inactive)
            rmacalinao Ramon M
            Votes:
            251 Vote for this issue
            Watchers:
            209 Start watching this issue

              Created:
              Updated:
              Resolved: