Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-23017

Add "Directory" column and filter to Manage Groups > Group Members page, to resolve inconsistency between group membership and user membership of groups (incl proposed solution and workaround)

    XMLWordPrintable

Details

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Problem: Manage Groups > groupname > Group Members not consistent with Manage Users > username > View User page

      We use crowd to hold our Confluence user accounts, with the Internal Confluence directory as a failover.

      We have a user that was once a member of the confluence-administrators group. Since then, he has been removed via the Manage Groups > confluence-administrators > Group Members page. Even though this user no longer has admin privileges when they log in, their account still displays on the Manage Groups > confluence-administrators > Group Members page. This makes it impossible to determine via the Confluence interface the actual/true list of members of a group.

      With the help of your support staff, we have found that the inconsistency between group membership and a user's membership of a group is caused by the user still existing in the confluence-administrators group of the Internal directory. This is obviously a security concern; in the event that the server fails over to the Internal directory, unprivileged users will have administrative access to the server.

      Solution

      • To resolve this, a "Directory" column could be added to the Manage Groups > groupname > Group Members page, so that it is clear in which directory the user account exists in that group.
      • This may well cause users to be listed more than once, for each directory where they exist. To make this clearer for administrators, a filter could be added enabling them to choose between directories. For our server, the filter would allow "All Directories", "Crowd" and "Internal" to be selected.

      Temporary Workaround

      If you encounter the above issue, where a user exists in a group and seemingly cannot be removed via the Confluence interface, go to User Directories, make the other directory the primary authenticator (in our case, the Internal directory), and then return to the Manage Groups > groupname > Group Members page and attempt to remove the user again. This must be done for every directory where the user exists before it will be removed from the Manage Groups > groupname > Group Members page. Finally, make the original directory the primary authenticator (in our case, Crowd)

      Attachments

        Issue Links

          duplicates

          Suggestion - CONFSERVER-22464 Provide per-directory user management screens

          • Not Being Considered

          Activity

            People

              Unassigned Unassigned
              bb6178f916c2 Paul
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: