Details
-
Suggestion
-
Resolution: Timed out
-
None
Description
Problem Definition
- When user provisioning(SCIM) is configured, users who are part of the sync group(s) will have Atlassian accounts automatically provisioned
- It is possible to allow users on approved domains to create their own Cloud accounts Specify how users get site access
- In this scenario, admins provision users via their identity provider and end-users are able to create their own site and Atlassian accounts
- This can create confusion for both the user and the admin
- The admin will see users created who are not part of any sync groups and are not managed by the provisioning sync, e.g. if the user's account is deactivated on identity provider side, the Cloud site and Atlassian account are not deactivated
- For existing users, and when SCIM is configured, users should not be able to request access to additional products as some customers have the expectation that only the identity provider admin should control product access via SCIM
- End-users who invite themselves to the site are not managed by the identity provider and may increase the license count for a Cloud site
- If SAML is configured, end-users may sign up for site access, but then are unable to log in due to their identity provider account having the correct level of permissions to log in via SAML
Suggested Solution
- Warn admins that site access/approved domain settings are enabled and/or deactivate any site or domain access settings when SCIM/provisioning is enabled
- Additionally - as part of the solution, there should be a way to block/deactivate the feature which allows existing users to request access to products they do not have access to - CLOUD-11002
Why this is important
- Having both provisioning and site access settings enabled causes confusion for both end-users and admins
Workaround
- Manually remove any domains from the "Approved domains" section of the site access settings