-
Suggestion
-
Resolution: Timed out
-
None
Problem Definition
- When user provisioning(SCIM) is configured, users who are part of the sync group(s) will have Atlassian accounts automatically provisioned
- It is possible to allow users on approved domains to create their own Cloud accounts Specify how users get site access
- In this scenario, admins provision users via their identity provider and end-users are able to create their own site and Atlassian accounts
- This can create confusion for both the user and the admin
- The admin will see users created who are not part of any sync groups and are not managed by the provisioning sync, e.g. if the user's account is deactivated on identity provider side, the Cloud site and Atlassian account are not deactivated
- For existing users, and when SCIM is configured, users should not be able to request access to additional products as some customers have the expectation that only the identity provider admin should control product access via SCIM
- End-users who invite themselves to the site are not managed by the identity provider and may increase the license count for a Cloud site
- If SAML is configured, end-users may sign up for site access, but then are unable to log in due to their identity provider account having the correct level of permissions to log in via SAML
Suggested Solution
- Warn admins that site access/approved domain settings are enabled and/or deactivate any site or domain access settings when SCIM/provisioning is enabled
- Additionally - as part of the solution, there should be a way to block/deactivate the feature which allows existing users to request access to products they do not have access to - CLOUD-11002
Why this is important
- Having both provisioning and site access settings enabled causes confusion for both end-users and admins
Workaround
- Manually remove any domains from the "Approved domains" section of the site access settings
[ACCESS-915] When SCIM/provisioning is configured, deactivate the Site access settings for approved domains which match the user provisioned domains
| Resolution | New: Timed out [ 10 ] | |
| Status | Original: Gathering Interest [ 11772 ] | New: Closed [ 6 ] |
| Assignee | Original: Gautam Venkatesh [ gvenkatesh@atlassian.com ] | New: Narmada Jayasankar [ njayasankar@atlassian.com ] |
| Description |
Original:
h3. Problem Definition
* When user provisioning(SCIM) is configured, users who are part of the sync group(s) will have Atlassian accounts automatically provisioned * It is possible to allow users on approved domains to create their own Cloud accounts [Specify how users get site access|https://confluence.atlassian.com/cloud/specify-how-users-get-site-access-744721636.html#Specifyhowusersgetsiteaccess-Approveddomains] * In this scenario, admins provision users via their identity provider and end-users are able to create their own site and Atlassian accounts * This can create confusion for both the user and the admin * The admin will see users created who are not part of any sync groups and are not managed by the provisioning sync, e.g. if the user's account is deactivated on identity provider side, the Cloud site and Atlassian account are not deactivated * End-users who invite themselves to the site are not managed by the identity provider and may increase the license count for a Cloud site * If SAML is configured, end-users may sign up for site access, but then are unable to log in due to their identity provider account having the correct level of permissions to log in via SAML h3. Suggested Solution * Warn admins that site access/approved domain settings are enabled and/or deactivate any site or domain access settings when SCIM/provisioning is enabled * Additionally - as part of the solution, there should be a way to block/deactivate the feature which allows _existing_ users to request access to products they do not have access to - [ h3. Why this is important * Having both provisioning and site access settings enabled causes confusion for both end-users and admins h3. Workaround * Manually remove any domains from the "Approved domains" section of the site access settings |
New:
h3. Problem Definition
* When user provisioning(SCIM) is configured, users who are part of the sync group(s) will have Atlassian accounts automatically provisioned * It is possible to allow users on approved domains to create their own Cloud accounts [Specify how users get site access|https://confluence.atlassian.com/cloud/specify-how-users-get-site-access-744721636.html#Specifyhowusersgetsiteaccess-Approveddomains] * In this scenario, admins provision users via their identity provider and end-users are able to create their own site and Atlassian accounts * This can create confusion for both the user and the admin * The admin will see users created who are not part of any sync groups and are not managed by the provisioning sync, e.g. if the user's account is deactivated on identity provider side, the Cloud site and Atlassian account are not deactivated * For existing users, and when SCIM is configured, users should not be able to request access to additional products as some customers have the expectation that only the identity provider admin should control product access via SCIM * End-users who invite themselves to the site are not managed by the identity provider and may increase the license count for a Cloud site * If SAML is configured, end-users may sign up for site access, but then are unable to log in due to their identity provider account having the correct level of permissions to log in via SAML h3. Suggested Solution * Warn admins that site access/approved domain settings are enabled and/or deactivate any site or domain access settings when SCIM/provisioning is enabled * Additionally - as part of the solution, there should be a way to block/deactivate the feature which allows _existing_ users to request access to products they do not have access to - [ h3. Why this is important * Having both provisioning and site access settings enabled causes confusion for both end-users and admins h3. Workaround * Manually remove any domains from the "Approved domains" section of the site access settings |
| Link |
New:
This issue is related to |
| Description |
Original:
h3. Problem Definition
* When user provisioning(SCIM) is configured, users who are part of the sync group(s) will have Atlassian accounts automatically provisioned * It is possible to allow users on approved domains to create their own Cloud accounts [Specify how users get site access|https://confluence.atlassian.com/cloud/specify-how-users-get-site-access-744721636.html#Specifyhowusersgetsiteaccess-Approveddomains] * In this scenario, admins provision users via their identity provider and end-users are able to create their own site and Atlassian accounts * This can create confusion for both the user and the admin * The admin will see users created who are not part of any sync groups and are not managed by the provisioning sync, e.g. if the user's account is deactivated on identity provider side, the Cloud site and Atlassian account are not deactivated * End-users who invite themselves to the site are not managed by the identity provider and may increase the license count for a Cloud site * If SAML is configured, end-users may sign up for site access, but then are unable to log in due to their identity provider account having the correct level of permissions to log in via SAML h3. Suggested Solution * Warn admins that site access/approved domain settings are enabled and/or deactivate any site or domain access settings h3. Why this is important * Having both provisioning and site access settings enabled causes confusion for both end-users and admins h3. Workaround * Manually remove any domains from the "Approved domains" section of the site access settings |
New:
h3. Problem Definition
* When user provisioning(SCIM) is configured, users who are part of the sync group(s) will have Atlassian accounts automatically provisioned * It is possible to allow users on approved domains to create their own Cloud accounts [Specify how users get site access|https://confluence.atlassian.com/cloud/specify-how-users-get-site-access-744721636.html#Specifyhowusersgetsiteaccess-Approveddomains] * In this scenario, admins provision users via their identity provider and end-users are able to create their own site and Atlassian accounts * This can create confusion for both the user and the admin * The admin will see users created who are not part of any sync groups and are not managed by the provisioning sync, e.g. if the user's account is deactivated on identity provider side, the Cloud site and Atlassian account are not deactivated * End-users who invite themselves to the site are not managed by the identity provider and may increase the license count for a Cloud site * If SAML is configured, end-users may sign up for site access, but then are unable to log in due to their identity provider account having the correct level of permissions to log in via SAML h3. Suggested Solution * Warn admins that site access/approved domain settings are enabled and/or deactivate any site or domain access settings when SCIM/provisioning is enabled * Additionally - as part of the solution, there should be a way to block/deactivate the feature which allows _existing_ users to request access to products they do not have access to - [ h3. Why this is important * Having both provisioning and site access settings enabled causes confusion for both end-users and admins h3. Workaround * Manually remove any domains from the "Approved domains" section of the site access settings |
Hi everyone,
Thank you for raising and following this suggestion. Because there has been no user engagement (votes, watches, comments) over the last year, we have no plans to implement this in the foreseeable future. In order to set expectations, we're closing this request to focus on our upcoming roadmap.
If you still feel that this feature significantly impacts your team, please let us know on the ticket. Thanks again for continuing to provide valuable feedback to our team.
Regards,
The Atlassian Access PM team