Is this clear?

Abundantly. Thanks for taking the time to draw out the diagrams. It made your question very easy to understand

Can Crowd 1.4 do this?

Yep! That's the primary use-case.

Hi,

It's not clear to me if Crowd 1.4 will support my requirements. Hopefully if I explain here someone can clarify...

My ActiveDirectory is configured like this:

+ DC=sub,DC=domain
|---+ OU=SomeTopLevelNode
      |---+ OU=SomeOtherNode
           |---+ OU=MyConfluenceGroups
                 |---- CN=MixedUsersAndReferencedGroups
|---+ OU=AnotherTopLevelNode
     |---+ OU=Users
           |---- CN=Joe Bloggs
           |---- CN=Barny Rubble
           |---- CN=Fred Flintstone
|---+ OU=YetAnotherTLNode
      |---+ OU=GroupsOutsideMyControl
            |--- CN=Some Outside Group
            |--- CN=Some Other Outside Group

Users (e.g. Joe or Fred) have an objectClass=person attribute and an sAMAccountName=fred (for example) attribute.

Groups have an objectClass=group attribute and one or more member=DN attributes where the DN can be that of a user OR that of a group elsewhere in the AD tree (e.g. Some Other Outside Group). This use of a member=DN attribute to refer to something other than a user is what I mean by "nested groups" but may not be your meaning.

Assume that the MixedUsersAndReferencedGroups group has these member= attributes

member=CN=Joe Bloggs,OU=Users,OU=AnotherTopLevelNode,DC=sub,DC=domain
member=CN=Some Outside Group,OU=GroupsOutsideMyControl,OU=YetAnotherTLNode,DC=sub,DC=domain

And that the Some Outside Group group has these member= attributes:

member=CN=Fred Flintstone,OU=Users,OU=AnotherTopLevelNode,DC=sub,DC=domain

When I look in Confluence -> Administration -> Manage Groups I want to see:

MixedUsersAndReferencedGroups

If I drill down into MixedUsersAndReferencedGroups the members I see should be:

User, Full Name
joe, Joe Bloggs
fred, Fred Flintstone

I should also be able to choose the MixedUsersAndReferencedGroups group in any of the permissions screens so that I can restrict access to various spaces to members of the groups under MyConfluenceGroups.

Is this clear?
Can Crowd 1.4 do this?

Hi Martin,

Yes, a Crowd-integrated Confluence instance will see users in child groups as members of the parent group, allowing administrators to use nested groups to manage permissions. This will not affect Confluence instances that are not Crowd-enabled.

Cheers,
Dave.

will this soon affect confluence also ?

Yes, loading of all members will be included. So you shouldn't need '980.

Just a clarification, if I import a LDAP/AD directory into a delegated directory, will it load all members (including members from groups in groups)? If so, then the referenced item is not needed for LDAP based groups. If not, then 980 is absolutely needed.

Hi Bob,

Yep, Active Directory is definitely supported!

Since delegated directories store their group information in Internal Directories, Nested Groups will not be available for them in the 1.4 release. Please vote for CWD-980 if you want this implemented.

Dave.

This is good news! I assume you mean LDAP directories including active directory.
Does this support delegated LDAP/AD directories? The requirement, of course, is to support this!

Hi All,

The 1.4 release of Crowd will support Nested Groups. There are some things you should be aware of:

• This will be for LDAP directories only.
• You can view, add & modify group->group relationships from the UI.
• Client applications that ask for members of a group will see all members of the group and all sub-groups, consolidated into one list. This makes the new feature transparent to client applications.
• If you have JIRA, Confluence, or another Atlassian application connected to Crowd, and you have nested groups in your directory, we suggest turning External User Management on. This will avoid confusion in the administration UI, as these applications do not understand the concept of nested groups.
• There will be some additional developer documentation published, so developers using the SOAP API, or one of the wrappers, can understand how this change will affect them.

Please let us know if this fails to satisfy your requirements, either by voting for one of the linked issues, creating one of your own, or commenting on this issue.

Thanks!

+1 vote, this really is an essential feature.