Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-829

Display list of users managed externally via Atlassian Access

XMLWordPrintable

    • 18

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      There is no ability to display a list of users managed externally via Atlassian Access against those managed otherwise (i.e. SCIM-managed vs Managed Accounts vs non-managed).

      Workaround
      'Export accounts' at org level to first get the list of all managed accounts, then navigate to the site level and select 'Export Users' > 'Users from selected groups only:' > Select group 'All members of directory - ...' > Download file. Then reconcile these 2 tables against each other, matching on Atlassian account ID - any users in the 'Managed accounts export' but not in 'All members of directory - ...' group are those which are not provisioned from IDP.

      Suggestion
      Please provide an option to display differently managed users, such as a filter in the directory

            [ACCESS-829] Display list of users managed externally via Atlassian Access

            Aneita added a comment -

            Hi everyone,

            Thanks for taking the time to raise this suggestion and share your use cases. 

            This request is currently being tracked on ACCESS-953. Please watch / vote for that ticket if it's something that you're interested in.

            Thanks,

            Aneita

            Aneita added a comment - Hi everyone, Thanks for taking the time to raise this suggestion and share your use cases.  This request is currently being tracked on ACCESS-953 . Please watch / vote for that ticket if it's something that you're interested in. Thanks, Aneita

            Ivan Shtanichev added a comment -

            Thank you kanguyen.

            Ivan Shtanichev added a comment - Thank you kanguyen .

            Kat N added a comment -

            Hi 14a97a75c29d, appreciate your detailed response and agree that the description was confusing and a bit conflicting (a product of merging this issue with ACCESS-1026) - I've updated the description on the ticket with your (much clearer) workaround steps and suggested change - thanks for the help! 

            Kat N added a comment - Hi 14a97a75c29d , appreciate your detailed response and agree that the description was confusing and a bit conflicting (a product of merging this issue with ACCESS-1026 ) - I've updated the description on the ticket with your (much clearer) workaround steps and suggested change - thanks for the help! 

            Ivan Shtanichev added a comment -

            Hi kanguyen, your recent revision to description of this suggestion seems to be inaccurate, as a workaround you refer to "check email addresses for accounts that are not from verified domains" but you are doing this check on an export of managed accounts which will only ever contain verified domains. The workaround I have been using is to 'Export accounts' at org level to first get the list of all managed accounts, then navigate to the site level and select 'Export Users' > 'Users from selected groups only:' > Select group 'All members of directory - ...' > Download file. Then reconcile these 2 tables against each other, matching on Atlassian Account Id, any users which are in the 'Managed accounts export' and are not in 'All members of directory - ...' group are those which are not provisioned from IDP. There is also another option of getting list of all provisioned users from SCIM API, but that is more complex I find (dealing with pagination etc), rather than just comparing 2 exports.

            Also your other revision to description where you have added "it could be a menu on the Org for Unmanaged accounts" is also inaccurate in my view, these accounts and the page which shows them, shows only managed accounts, none of them are unmanaged, more appropriate filter label for these accounts would be Un-provisioned accounts - which are org managed accounts that are not provisioned/in sync with the IDP.

            Hope this helps, let me know if you have any questions.

            Ivan Shtanichev added a comment - Hi kanguyen , your recent revision to description of this suggestion seems to be inaccurate, as a workaround you refer to "check email addresses for accounts that are not from verified domains " but you are doing this check on an export of managed accounts which will only ever contain verified domains. The workaround I have been using is to 'Export accounts' at org level to first get the list of all managed accounts, then navigate to the site level and select 'Export Users' > 'Users from selected groups only:' > Select group 'All members of directory - ...' > Download file. Then reconcile these 2 tables against each other, matching on Atlassian Account Id, any users which are in the 'Managed accounts export' and are not in 'All members of directory - ...' group are those which are not provisioned from IDP. There is also another option of getting list of all provisioned users from SCIM API, but that is more complex I find (dealing with pagination etc), rather than just comparing 2 exports. Also your other revision to description where you have added "it could be a menu on the Org for Unmanaged accounts"  is also inaccurate in my view, these accounts and the page which shows them, shows only managed accounts, none of them are unmanaged, more appropriate filter label for these accounts would be Un-provisioned accounts - which are org managed accounts that are not provisioned/in sync with the IDP. Hope this helps, let me know if you have any questions.

            Ivan Shtanichev added a comment -

            I too would like the user management UI to offer the ability to identify active users who are NOT SCIM provisioned from the IDP, so that we can take appropriate actions for those accounts like deactivate or add to provisioning group, to ensure that all our users are linked with IDP and most importantly deactivated when they leave organization and their IDP account is deactivated. I'd like to see this achieved through addition of ‘Unprovisioned accounts’ filter option on Managed accounts page. To allow admins to quickly identify active and unprovisioned users that may require further action (provisioning or deactivation). This filter may also need to be used in conjunction with other Domain and Product Access filters for further refinement.

            Ivan Shtanichev added a comment - I too would like the user management UI to offer the ability to identify active users who are NOT SCIM provisioned from the IDP, so that we can take appropriate actions for those accounts like deactivate or add to provisioning group, to ensure that all our users are linked with IDP and most importantly deactivated when they leave organization and their IDP account is deactivated. I'd like to see this achieved through addition of ‘Unprovisioned accounts’ filter option on Managed accounts page. To allow admins to quickly identify active and unprovisioned users that may require further action (provisioning or deactivation). This filter may also need to be used in conjunction with other Domain and Product Access filters for further refinement.

            Alicia Horner added a comment -

            I don't think the export even shows this level of detail if it's SCIM-managed or not, which makes it difficult to identify which accounts you could deactivate if you've got 1000s

            Alicia Horner added a comment - I don't think the export even shows this level of detail if it's SCIM-managed or not, which makes it difficult to identify which accounts you could deactivate if you've got 1000s

              Unassigned Unassigned
              kpillai KP
              Votes:
              18 Vote for this issue
              Watchers:
              25 Start watching this issue

                Created:
                Updated:
                Resolved: