Problem Definition

In order to restrict synchronisations of certain users it currently needs to be done by configuring a LDAP search filter as per How to write LDAP search filters. This can get particularly complicated when multiple groups, from different DNs are involved. Please provide some functionality within the UI to only synchronise users based on different groups, for different applications.

Suggested Solution

This solution mentions JIRA, however is applicable for any application integrating with Crowd.

1. Log into Crowd as administrator
2. Go to Applications and click on your JIRA application.
3. Click on "Groups"
   Now you should see a list of all groups that can authenticate to JIRA (I'll use my instance for example).
   Pearson AD - PEROOT users - jira-administrators
   Pearson AD - PEROOT users - jira-developers
   Pearson AD - PEROOT users - jira-users
   Pearson Crowd - external users - jira-users-ext

Now, in JIRA, or in Crowd, there should be a checkbox option (it'll probably be easier to implement in JIRA, but if done in Crowd could be easily utilized by all Atlassian apps) to only sync authenticated groups.

What this would mean is that unless the user is a part of one of the above groupings, they are not synced into JIRA. This would cut down drastically on the number of users brought in, and alleviate the issues large instances such as our own have been experiencing. JIRA would no longer be forced to bring in user information for users that cannot access JIRA.

This would drop us from 80k users, back to our 8k, while still allowing us to authenticate through Crowd, manage our groups through Crowd, and leaves (as far as I can tell) all functionality intact.