Crowd users not allowed to authenticate are pulled in as normal users

Summary

When synchronizing with a Crowd user directory (or a JIRA user directory), all users regardless of group affiliation are pulled into FishEye. Even users not allowed to authenticate in remote Crowd will still be migrated, FishEye/Crucible won't be able to distinguish them from "standard" users - they would still occupy licence slots, others would be able to pick them as reviewers etc.

Steps to Reproduce

1. In Crowd: Add an "Application" called "fisheye". (Leave "Allow all users to authenticate" unchecked)
2. In Crowd: Add a Group called "fisheye-users".
   
3. In Crowd Administration >> Applications >> FishEye >> Groups: Add the group "fisheye-users".
   
4. In Crowd: Add a user called "not-fecru1" with no group affiliation.
5. In FishEye: Synchronize user directory with Crowd.
   
6. In FishEye: Go to Administration >> Users.

Notes

• This needs to be fixed on Crowd side – see CWD-1263
• The users not belonging to a group who can access FishEye/Crucible will have a lozenge saying "NO ACCESS" next to their user name.
• Both in Crowd and JIRA directory cases all users will be synchronized and they might occupy license slots if they end up with effectively granted global permission (either assigned individually or through group membership). That said, as there is no "Allow all users to authenticate" flag in JIRA, that is expected for JIRA-originating users, but might be surprising for Crowd, where one could expect only a subset of users to be synchronized
• Due to CWD-3025 there is currently no way to assign a Crowd-originating user to local FeCru group

Workarounds

• Create dedicated group(s) in Crowd, add only selected users to the group(s) and grant login access only to those groups via FeCru global permissions. This requires one to have admin access to Crowd.
• Assign users' login access rights individually via FeCru global permissions.