External Users can be added to Read-Only Groups via Invite Users flow

XMLWordPrintable

    • Severity 3 - Minor

      Issue Summary

      This is reproducible on Data Center: I don't know.

      External Users (any user outside the verified domain(s) & NOT SCIM synced) can be added to Read-Only Groups via Invite Users flow

      Steps to Reproduce

      1. Go to https://admin.atlassian.com/o/ORGID/users?status=ACTIVE and click on "Invite users" button.

      2. Group membership drop-down list contains read-only Groups (synced via SCIM) to which we can successfully add the external user to. We select such a group and we Click on "Invite users" button. This successfully sends the invite and adds the external user to the SCIM synced group.

      Expected Results

      Read-only groups should not be visible in the drop-down, in the user invite flow.
      We shouldn't allow insertion of new users on read-only groups, only if they come from IDP.

      Actual Results

      External user is getting added successfully to the read-only group.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

        1. invite_user_group_scim.webm
          5.51 MB

            Assignee:
            Unassigned
            Reporter:
            Bogdan Ciuperca (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: