Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-8594

Provide capability to immediately prevent a user from accessing Bitbucket if their permissions are removed

    XMLWordPrintable

Details

    • 2
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Currently Bitbucket does not immediately terminate active sessions (to the website or for active git operations) when a users permissions are removed.

      Steps to Duplicate:

      • User X is logged into Bitbucket and is browsing repositories, adding comments, etc.
      • User X is removed from either Crowd, LDAP, AD, or even directly in Bitbucket
      • Problem 1 is that if the user is LDAP or AD Bitbucket may not know about the permissions changing until a synchronization (by default 60 minutes)
      • Problem 2 is that even after LDAP/AD synchronization, User X is not automatically logged out of Bitbucket and they are not prevented from accessing anything they had permission to access until they are required to login again (do to timeout or closing the browser).

      Some industries that are highly regulated require the ability to immediately terminate access.

      Some possible suggestions include:

      • A page available to System Admins that shows all current sessions, with the ability to terminate sessions from the UI
      • A REST API that could be called either manually or from LDAP to terminate sessions opened by a user whose permissions were removed

      Attachments

        Activity

          People

            Unassigned Unassigned
            cdrummond Craig Drummond
            Votes:
            3 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated: