Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-915

When SCIM/provisioning is configured, deactivate the Site access settings for approved domains which match the user provisioned domains

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem Definition

      • When user provisioning(SCIM) is configured, users who are part of the sync group(s) will have Atlassian accounts automatically provisioned
      • It is possible to allow users on approved domains to create their own Cloud accounts Specify how users get site access
      • In this scenario, admins provision users via their identity provider and end-users are able to create their own site and Atlassian accounts
      • This can create confusion for both the user and the admin
      • The admin will see users created who are not part of any sync groups and are not managed by the provisioning sync, e.g. if the user's account is deactivated on identity provider side, the Cloud site and Atlassian account are not deactivated
      • For existing users, and when SCIM is configured, users should not be able to request access to additional products as some customers have the expectation that only the identity provider admin should control product access via SCIM
      • End-users who invite themselves to the site are not managed by the identity provider and may increase the license count for a Cloud site
      • If SAML is configured, end-users may sign up for site access, but then are unable to log in due to their identity provider account having the correct level of permissions to log in via SAML

      Suggested Solution

      • Warn admins that site access/approved domain settings are enabled and/or deactivate any site or domain access settings when SCIM/provisioning is enabled
      • Additionally - as part of the solution, there should be a way to block/deactivate the feature which allows existing users to request access to products they do not have access to - CLOUD-11002

      Why this is important

      • Having both provisioning and site access settings enabled causes confusion for both end-users and admins

      Workaround

      • Manually remove any domains from the "Approved domains" section of the site access settings

              njayasankar@atlassian.com Narmada Jayasankar
              dnguyen4 Derrick Nguyen
              Votes:
              3 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: