Uploaded image for project: 'Admin Experience'
  1. Admin Experience
  2. AX-1097

Issues With License Provisioning through approved domains

    • Minor

      Automatic License Provisioning through Approved domains (configured in User Access Settings)does not work for Jira Products (Jira, Jira Work Management, Jira Service Management, or Jira Product Discovery) when customer already has access to one of these products.

      Steps to Recreate Issue:

      Scenario 1 

      Configure an approved domain in "User Access Settings" with access to products say Jira and JSM.

      1. With a user account that belongs to the approved domain, login to a site and access a Jira feature (Board/Sprints).  The user automatically gets access to all products configured for license through Approved Domains (In this case both JSM and Jira) and is able to successfully access Jira product.
      2. Now, remove this user from Jira default access group/role manually from the admin console. User now does not have Jira License. He/She only has JSM license in place.
      3. Now, when trying to access Jira boards, user is blocked. Gets "Sorry, you can't view this page"

      Scenario 2:

      Existing user in directory with email id xxx.domain.com and JSM license in place.

      1. Now, configure domain.com as an approved domain with Jira and JSM license auto provisioning.
      2. User xxx tries to access Jira feature, but gets "Sorry, you can't view this page". Automatic License provisioning does not kick in.

      Scenario 3:

      Existing user in directory with email id xxx.domain.com and Jira Product Discovery license in place.

      1. Now, configure domain.com as an approved domain to grant Jira licenses automatically when accessing the product. 
      2. User xxx tries to access Jira feature, but gets "Sorry, you can't view this page". Automatic License provisioning does not kick in.

      Please Note: The above situation arises only when the users has JSM license with role as User(Agent). If JSM user role is "Customer", approved domain configuration get appropriately assigned!

      Expectation here is that with Approved Domains configured, user should automatically be granted Jira License when attempting to access Jira Issues/boards.
       
      Additional Note: This issue is not specific to Jira / JSM, but with any Jira product. As long as user already has access to one of the Jira products, automatic license provisioning through approved domains does not work for other configured Jira products.

            [AX-1097] Issues With License Provisioning through approved domains

            Bruno Abele added a comment - - edited

            I got answers from you some time ago:

            • We remove users from license groups as a) we have to pay for users who hold a license but they did not work with the product for a longer time and b) we have/had more users that potentially would use the product than the max license size Atlassian can provide (changed now). So we decided to NOT give all users ALL licenses, and to remove licenses when they are not really used - assuming they get the license back when they need it next time.
            • This is only to reduce the number of used licenses. Access to data is done via other access groups. For users where licenses cannot be given automatically (from unclaimed domains = our suppliers) we add the user to a special license-granting group when/while they are member of any access-granting group. For users from claimed domains, we rely on the approved domain functionality and we might remove the license even when the users are still in an access-granting group (which does not give licenses). We have about 15.000 access-granting groups and only 3 products, means 6 licence-granting groups (1 static and 1 dynamic license groups per product).
            • I expect the Approved domain feature to add user to the license group whenever they need a license and currently do not have one. After we remove users from the (dynamic) license group, some might come back and some might never use our Atlassian tool again e.g. when they leave the company shortly after.
            • Even when the licenses can be given to us now for higher user counts, we still have to pay for any user who holds a license. It would be very difficult to regain access when we remove the users from the access groups just because they do not activly access the data - some access groups are dynamic, e.g. holds all members of a department, and they might only use it once a year for a training session. The reason for access is they are department members - and that reason does not go away. We decided to handle this non-use by removing the licenses only.
            • If users have API tokens, we do NOT remove them from the license groups, as in the API licenses are NOT granted on demand. So user has to login once to get the license and only then can use the API. This topic is more complex in detail, but that is the basic idea.

            I understand you have complex rules about when a user can access data even without a license, e.g. when they are JSM customers. So if a users logs in to JSM, they can see something, but when they are in the same session and URL and they want to see details, they will not get the now-required license on-demand when they currently do not have it.

            I consider this a conceptional bug.

            • As a solution, when you forward the user to the "permission denied" page, you should first try to give the required license via approved domains and maybe bring the user back to the page they wanted to see if that was successful.
            • Or have a completely different checking that does NOT rely on browser forwards, instead do that insite the API calls used by your pages.

            That is the same topic as in https://jira.atlassian.com/browse/CONFCLOUD-78128 or https://jira.atlassian.com/browse/CONFCLOUD-74283 and many others. It affects Jira and Confluence for us, and the former workarounds have partly stopped working, e.g. we do not see the Confluence error page to "Get Full Access" any more.

            Someone at Atlassian also want to introduce a feature to give ALL licenses defined in approved domain when the user logs in. This is a bad idea:

            • Some sites have small licenses and most users will never use that. If you add users to that license when they try to access some other site or product, that license count will be exceeded by users who never used the product.
            • Users never really "login" after their first use - they just confirm their login after some shorter absense but they are were formally logged out. Your solution must work on-demand, not only on "next login".

            We also have problems now with first-time users who do not get their initial license, instead the browser goes into a forwarding loop that ends with timeout after 30sec.

            I consider that license-granting (and session-handling) functionality severely broken, up to a point where we should not rely on Approved domains any more. What saves us: We only have few first-time users every month, and most users who get a license removed due to months of inactivity will really not come back - so it is not that huge number of tickets, but it is a constant struggle to fix that fast, while Atlassian changes the functionality and the error pictures reported change every few weeks.

            Bruno Abele added a comment - - edited I got answers from you some time ago: We remove users from license groups as a) we have to pay for users who hold a license but they did not work with the product for a longer time and b) we have/had more users that potentially would use the product than the max license size Atlassian can provide (changed now). So we decided to NOT give all users ALL licenses, and to remove licenses when they are not really used - assuming they get the license back when they need it next time. This is only to reduce the number of used licenses. Access to data is done via other access groups. For users where licenses cannot be given automatically (from unclaimed domains = our suppliers) we add the user to a special license-granting group when/while they are member of any access-granting group. For users from claimed domains, we rely on the approved domain functionality and we might remove the license even when the users are still in an access-granting group (which does not give licenses). We have about 15.000 access-granting groups and only 3 products, means 6 licence-granting groups (1 static and 1 dynamic license groups per product). I expect the Approved domain feature to add user to the license group whenever they need a license and currently do not have one. After we remove users from the (dynamic) license group, some might come back and some might never use our Atlassian tool again e.g. when they leave the company shortly after. Even when the licenses can be given to us now for higher user counts, we still have to pay for any user who holds a license. It would be very difficult to regain access when we remove the users from the access groups just because they do not activly access the data - some access groups are dynamic, e.g. holds all members of a department, and they might only use it once a year for a training session. The reason for access is they are department members - and that reason does not go away. We decided to handle this non-use by removing the licenses only. If users have API tokens, we do NOT remove them from the license groups, as in the API licenses are NOT granted on demand. So user has to login once to get the license and only then can use the API. This topic is more complex in detail, but that is the basic idea. I understand you have complex rules about when a user can access data even without a license, e.g. when they are JSM customers. So if a users logs in to JSM, they can see something, but when they are in the same session and URL and they want to see details, they will not get the now-required license on-demand when they currently do not have it. I consider this a conceptional bug. As a solution, when you forward the user to the "permission denied" page, you should first try to give the required license via approved domains and maybe bring the user back to the page they wanted to see if that was successful. Or have a completely different checking that does NOT rely on browser forwards, instead do that insite the API calls used by your pages. That is the same topic as in https://jira.atlassian.com/browse/CONFCLOUD-78128 or https://jira.atlassian.com/browse/CONFCLOUD-74283 and many others. It affects Jira and Confluence for us, and the former workarounds have partly stopped working, e.g. we do not see the Confluence error page to "Get Full Access" any more. Someone at Atlassian also want to introduce a feature to give ALL licenses defined in approved domain when the user logs in. This is a bad idea: Some sites have small licenses and most users will never use that. If you add users to that license when they try to access some other site or product, that license count will be exceeded by users who never used the product. Users never really "login" after their first use - they just confirm their login after some shorter absense but they are were formally logged out. Your solution must work on-demand, not only on "next login". We also have problems now with first-time users who do not get their initial license, instead the browser goes into a forwarding loop that ends with timeout after 30sec. I consider that license-granting (and session-handling) functionality severely broken, up to a point where we should not rely on Approved domains any more. What saves us: We only have few first-time users every month, and most users who get a license removed due to months of inactivity will really not come back - so it is not that huge number of tickets, but it is a constant struggle to fix that fast, while Atlassian changes the functionality and the error pictures reported change every few weeks.

            Bruno Abele added a comment - - edited

            The license is not granted even when user does a logout and login, so there is no workaround.

            Users do not get licenses and cannot use the tools. Hundreds or thousands of users affected.

            This ticket means the whole "Approved Domain" feature is broken as soon as Jira is involved - and Atlassian considers this to be a "Severity 3 - Minor" issue.

            In the past, as similar problem existed for Confluence, where a logout was a workaround, now there is a "request full access" button on the "you have no access" error page. https://jira.atlassian.com/browse/CONFCLOUD-74283

            Bruno Abele added a comment - - edited The license is not granted even when user does a logout and login, so there is no workaround. Users do not get licenses and cannot use the tools. Hundreds or thousands of users affected. This ticket means the whole "Approved Domain" feature is broken as soon as Jira is involved - and Atlassian considers this to be a "Severity 3 - Minor" issue. In the past, as similar problem existed for Confluence, where a logout was a workaround, now there is a "request full access" button on the "you have no access" error page. https://jira.atlassian.com/browse/CONFCLOUD-74283

              Unassigned Unassigned
              76629e7f3532 Nivedita Venkateswaran
              Affected customers:
              2 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 10m
                  10m