Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1263

Provide flag to filter users/groups to client applications based on application's permission to authenticate.

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      This Feature request is one of the solution that can be implemented for the goal of implementing the feature mentioned at CWD-5145 - Only users who have access to applications connected to Crowd should be synchronized from Crowd to those applications

      When a directory is associated with an application in Crowd, all users and groups returned by the scope of the directory configuration are displayed in client applications. We should provide the ability to filter users/groups for client apps based on the ability to authenticate in the client app.

      • Setup an LDAP server with users, only some are added to a group.
      • Add the LDAP directory to crowd
      • Login to crowd and under Applications, click on "Add Application".
      • In the directories tab, remove the internal directory and add the LDAP directory (allow all to authenticate = false)
      • In the groups tab, add the LDAP group
      • Go to the users tab.

      Expected: Only users from the LDAP group to be present, the rest have no permission to authenticate and are not part of the valid groups.
      Actual: All users from the directory are present.

      This is a design decision in Crowd, as most customers want all users and groups to be present, regardless of the ability to authenticate. We may consider providing a toggle for this behaviour in the future, but it's not on a roadmap at present.

            [CWD-1263] Provide flag to filter users/groups to client applications based on application's permission to authenticate.

            The feature has been already released with Crowd 4.4:

            https://confluence.atlassian.com/crowd/crowd-4-4-release-notes-1087517293.html

            Pawel Gruszczynski (Inactive) added a comment - The feature has been already released with Crowd 4.4: https://confluence.atlassian.com/crowd/crowd-4-4-release-notes-1087517293.html

            +1 this request is important to our organization.

            Many of our Bitbucket users have service accounts (which share the same email address as the user's main account), so even if these service accounts aren't being pulled into the Global Permissions for Bitbucket, those service account names are more often than not shown as the author of committers instead of the actual author names attributed to the commits.

            This is going to be a pretty big source of confusion due to how common it is for users to have service accounts in our organization.

            Shane Wignall added a comment - +1 this request is important to our organization. Many of our Bitbucket users have service accounts (which share the same email address as the user's main account), so even if these service accounts aren't being pulled into the Global Permissions for Bitbucket, those service account names are more often than not shown as the author of committers instead of the actual author names attributed to the commits. This is going to be a pretty big source of confusion due to how common it is for users to have service accounts in our organization.

            This continues to be an issue for us

            Our organization currently connects to 3 separate Directories (with more to come) and we have no choice but to pull all the users from the directory.  LDAP filter can't be used to limit the appropriate members, so even though we have only ~2,000 users who are licensed per directory, we are exposing over 3*60,000 users to all the connecting applications.

            This causes both performance, management, and security/privacy [GDPR] issues.

            Kristopher Drew Perez added a comment - This continues to be an issue for us Our organization currently connects to 3 separate Directories (with more to come) and we have no choice but to pull all the users from the directory.  LDAP filter can't be used to limit the appropriate members, so even though we have only ~2,000 users who are licensed per directory, we are exposing over 3*60,000 users to all the connecting applications. This causes both performance, management, and security/privacy [GDPR] issues.

            bnobr added a comment -

            Any roadmap for this ?

            bnobr added a comment - Any roadmap for this ?

            ganeshkumar.pandithurai1168168772 added a comment -

            Had tried the same with Crowd-Bitbucket. We could able to see all users in Bitbucket but we expect only the limited users. Heard that this feature will address our requirement. Do you have any outlook for this feature?

            ganeshkumar.pandithurai1168168772 added a comment - Had tried the same with Crowd-Bitbucket. We could able to see all users in Bitbucket but we expect only the limited users. Heard that this feature will address our requirement. Do you have any outlook for this feature?

            I would like to also add that this is a security concern and should be considered a bug as opposed to an improvement. This provides administrators of the end applications (Jira, Confluence, etc) visibility into the LDAP domain that they should not be given. If the LDAP Domain Administrators and the Crowd Administrators have effectively limited that application to specific groups, there is no reason why the Jira or Confluence Administrators should see more than they have been assigned. Leaving this issue as an improvement is leaving a security hole in the Crowd application.

            Bill Schrier added a comment - I would like to also add that this is a security concern and should be considered a bug as opposed to an improvement. This provides administrators of the end applications (Jira, Confluence, etc) visibility into the LDAP domain that they should not be given. If the LDAP Domain Administrators and the Crowd Administrators have effectively limited that application to specific groups, there is no reason why the Jira or Confluence Administrators should see more than they have been assigned. Leaving this issue as an improvement is leaving a security hole in the Crowd application.

            Confirmed the same behaviour with FishEye 4.0.3 and Bitbucket Server 4.3.1. Once I configure both apps against Crowd (v. 2.9.1 used) with "allow all to authenticate == false", in both client apps I can see users who are not allowed to authenticate in Crowd.
            From client apps admin perspective I can't see any indication those users won't be able to log in, I can configure them as active users through Global Permissions, so they appear as active FishEye/Bitbucket Server users, they can be selected as review participants for instance, but can't log in Crowd won't authenticate them.

            This is a design decision in Crowd, as most customers want all users and groups to be present, regardless of the ability to authenticate. We may consider providing a toggle for this behaviour in the future, but it's not on a roadmap at present.

            I can see some rationale behind this, but I do believe Crowd should offer a way to distinguish such (not allowed to authenticate) users so client apps may handle them differently.

            Piotr Swiecicki added a comment - Confirmed the same behaviour with FishEye 4.0.3 and Bitbucket Server 4.3.1. Once I configure both apps against Crowd (v. 2.9.1 used) with "allow all to authenticate == false", in both client apps I can see users who are not allowed to authenticate in Crowd. From client apps admin perspective I can't see any indication those users won't be able to log in, I can configure them as active users through Global Permissions, so they appear as active FishEye/Bitbucket Server users, they can be selected as review participants for instance, but can't log in Crowd won't authenticate them. This is a design decision in Crowd, as most customers want all users and groups to be present, regardless of the ability to authenticate. We may consider providing a toggle for this behaviour in the future, but it's not on a roadmap at present. I can see some rationale behind this, but I do believe Crowd should offer a way to distinguish such (not allowed to authenticate) users so client apps may handle them differently.

              Unassigned Unassigned
              donna@atlassian.com DonnaA
              Votes:
              36 Vote for this issue
              Watchers:
              37 Start watching this issue

                Created:
                Updated:
                Resolved: