Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1263

Provide flag to filter users/groups to client applications based on application's permission to authenticate.

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      This Feature request is one of the solution that can be implemented for the goal of implementing the feature mentioned at CWD-5145 - Only users who have access to applications connected to Crowd should be synchronized from Crowd to those applications

      When a directory is associated with an application in Crowd, all users and groups returned by the scope of the directory configuration are displayed in client applications. We should provide the ability to filter users/groups for client apps based on the ability to authenticate in the client app.

      • Setup an LDAP server with users, only some are added to a group.
      • Add the LDAP directory to crowd
      • Login to crowd and under Applications, click on "Add Application".
      • In the directories tab, remove the internal directory and add the LDAP directory (allow all to authenticate = false)
      • In the groups tab, add the LDAP group
      • Go to the users tab.

      Expected: Only users from the LDAP group to be present, the rest have no permission to authenticate and are not part of the valid groups.
      Actual: All users from the directory are present.

      This is a design decision in Crowd, as most customers want all users and groups to be present, regardless of the ability to authenticate. We may consider providing a toggle for this behaviour in the future, but it's not on a roadmap at present.

            [CWD-1263] Provide flag to filter users/groups to client applications based on application's permission to authenticate.

            Renata Dornelas made changes -
            Remote Link Original: This issue links to "Page (Atlassian Documentation)" [ 181480 ]
            Pawel Gruszczynski (Inactive) made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Gathering Interest [ 11772 ] New: Closed [ 6 ]
            Pawel Gruszczynski (Inactive) made changes -
            Link New: This issue duplicates CWD-5145 [ CWD-5145 ]

            Pawel Gruszczynski (Inactive) added a comment -

            The feature has been already released with Crowd 4.4:

            https://confluence.atlassian.com/crowd/crowd-4-4-release-notes-1087517293.html

            Pawel Gruszczynski (Inactive) added a comment - The feature has been already released with Crowd 4.4: https://confluence.atlassian.com/crowd/crowd-4-4-release-notes-1087517293.html

            Shane Wignall added a comment -

            +1 this request is important to our organization.

            Many of our Bitbucket users have service accounts (which share the same email address as the user's main account), so even if these service accounts aren't being pulled into the Global Permissions for Bitbucket, those service account names are more often than not shown as the author of committers instead of the actual author names attributed to the commits.

            This is going to be a pretty big source of confusion due to how common it is for users to have service accounts in our organization.

            Shane Wignall added a comment - +1 this request is important to our organization. Many of our Bitbucket users have service accounts (which share the same email address as the user's main account), so even if these service accounts aren't being pulled into the Global Permissions for Bitbucket, those service account names are more often than not shown as the author of committers instead of the actual author names attributed to the commits. This is going to be a pretty big source of confusion due to how common it is for users to have service accounts in our organization.
            Monique Khairuliana (Inactive) made changes -
            Description Original: When a directory is associated with an application in Crowd, all users and groups returned by the scope of the directory configuration are displayed in client applications. We should provide the ability to filter users/groups for client apps based on the ability to authenticate in the client app.

            - Setup an LDAP server with users, only some are added to a group.
            - Add the LDAP directory to crowd
            - Login to crowd and under Applications, click on "Add Application".
            - In the directories tab, remove the internal directory and add the LDAP directory (allow all to authenticate = false)
            - In the groups tab, add the LDAP group
            - Go to the users tab.

            *Expected:* Only users from the LDAP group to be present, the rest have no permission to authenticate and are not part of the valid groups.
            *Actual:* All users from the directory are present.

            This is a design decision in Crowd, as most customers want all users and groups to be present, regardless of the ability to authenticate. We may consider providing a toggle for this behaviour in the future, but it's not on a roadmap at present.             		New: This Feature request is one of the solution that can be implemented for the goal of implementing the feature mentioned at [CWD-5145 - Only users who have access to applications connected to Crowd should be synchronized from Crowd to those applications|https://jira.atlassian.com/browse/CWD-5145]

            When a directory is associated with an application in Crowd, all users and groups returned by the scope of the directory configuration are displayed in client applications. We should provide the ability to filter users/groups for client apps based on the ability to authenticate in the client app.

            - Setup an LDAP server with users, only some are added to a group.
            - Add the LDAP directory to crowd
            - Login to crowd and under Applications, click on "Add Application".
            - In the directories tab, remove the internal directory and add the LDAP directory (allow all to authenticate = false)
            - In the groups tab, add the LDAP group
            - Go to the users tab.

            *Expected:* Only users from the LDAP group to be present, the rest have no permission to authenticate and are not part of the valid groups.
            *Actual:* All users from the directory are present.

            This is a design decision in Crowd, as most customers want all users and groups to be present, regardless of the ability to authenticate. We may consider providing a toggle for this behaviour in the future, but it's not on a roadmap at present.
            Monique Khairuliana (Inactive) made changes -
            Link New: This issue is blocked by CWD-5145 [ CWD-5145 ]
            Katherine Yabut made changes -
            Workflow Original: JAC Suggestion Workflow [ 3388217 ] New: JAC Suggestion Workflow 3 [ 3630071 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 [ 1393388 ] New: JAC Suggestion Workflow [ 3388217 ]
            Issue Type Original: Improvement [ 4 ] New: Suggestion [ 10000 ]
            Status Original: Needs Verification [ 10004 ] New: Gathering Interest [ 11772 ]
            Monique Khairuliana (Inactive) made changes -
            Epic Link Original: CWD-4701 [ 598559 ]

              Unassigned Unassigned
              donna@atlassian.com DonnaA
              Votes:
              36 Vote for this issue
              Watchers:
              37 Start watching this issue

                Created:
                Updated:
                Resolved: