When connecting Bitbucket Data Center to a large Corporate LDAP with many groups, it is tough or impossible for a Admin, Project or repository, to know who they are giving permission to the repository to. For instance, what is the difference between the group Atlassian, Atlassian-support, or Atlassian-staff. If a admin is not careful, they may have intended to give permission to Atlassian-staff while intending to choose Atlassian-support without knowing the real difference between the two. But the person they intended to give access to right then now has access, along with a bunch of people they didn’t intend to, possibly impacting licensing and causing a lot of additional work tracking down who gave these extra users access. Also the group Atlassian still showed at the top in the search results and has to be ignored for each change. This can also happen when two Active Directory hit a namespace collision because the systems are being combined.

In this complicated group environment Bitbucket System Admin need to be able to restrict the number of groups available to help Admin to avoid some mistakes. Here are some possible ways to restrict the groups:

• An allow or deny list defined by a regex.
• The Directory domain the group is in. For instance, only allow Bitbucket repository admin to add Internal or Crowd groups and not Active Directory groups.
• A list of groups allow or deny.
• A combination of the above.

Unintentional mistakes can be avoided if Bitbucket System Admin are able to limit the number of groups Bitbucket Admin are able to choose.