Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-925

Allow User Provisioning Groups Larger than 1000 in a Single Group Operation

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Resolution update

      Hi All,

      We've raised the limit to support a maximum of 10K users per group provisioned via SCIM.

      Thank you,

      Narmada Jayasankar

      Lead Product Managed, Atlassian Access

      Problem Definition

      Large/Enterprise Customers who are Configuring Atlassian Access with User Provisioning are running into an issue where User Provisioning will not create a Group if it contains more than 1000 Users

      Error received:

      Resource [Group] Exceeded group member limit of 1000 per group operation, please use additional group patch operations to add/replace/remove members

      Suggested Solution

      Expand the User Provisioning Group API so that more than 1k group operations can be received

      Why this is important

      Large/Enterprise Customers may not be able to split their Group into smaller groups

      Workaround

      For the initial sync, reduce the Group Membership to less than 1000 Users and push the Group. Once successful, add Users back to the Group in batches less than 1000 (eg 1-1000, 1001-2000, 2001-3000, etc)

          Form Name

            [ACCESS-925] Allow User Provisioning Groups Larger than 1000 in a Single Group Operation

            Narmada Jayasankar added a comment -

            Hi All,

            We've raised the limit to support a maximum of 10K users per group provisioned via SCIM.

            Thank you,

            Narmada Jayasankar

            Lead Product Managed, Atlassian Access

            Narmada Jayasankar added a comment - Hi All, We've raised the limit to support a maximum of 10K users per group provisioned via SCIM. Thank you, Narmada Jayasankar Lead Product Managed, Atlassian Access

            Daniel Bolens added a comment -

            Same boat as Greg more or less.  We're lucky in this case that we've always tied Atlassian permissions to isolated groups just for this purpose.  But those groups just inherent membership from an overall All Staff group.  Basically doing this results in some down time while users won't be able to see a large amount of Jira or Confluence data until everything is synced.  Hopefully something we can see upped limit-wise.

            Daniel Bolens added a comment - Same boat as Greg more or less.  We're lucky in this case that we've always tied Atlassian permissions to isolated groups just for this purpose.  But those groups just inherent membership from an overall All Staff group.  Basically doing this results in some down time while users won't be able to see a large amount of Jira or Confluence data until everything is synced.  Hopefully something we can see upped limit-wise.

            Greg Warner added a comment -

            Enterprise customer here with 7,500 staff and about to start an enterprise cloud trial. This was the first problem we ran into. The work around isn't feasible because 7,500 staff are groups of groups with significant cross-department and cross-business overlap. Those groups are also automatically provisioned via Active Directory through to Okta from our HRIS. We can't just break them into smaller groups without significantly disrupting our automation and downstream affects.

            Greg Warner added a comment - Enterprise customer here with 7,500 staff and about to start an enterprise cloud trial. This was the first problem we ran into. The work around isn't feasible because 7,500 staff are groups of groups with significant cross-department and cross-business overlap. Those groups are also automatically provisioned via Active Directory through to Okta from our HRIS. We can't just break them into smaller groups without significantly disrupting our automation and downstream affects.

              Unassigned Unassigned
              scranford Shawn C (Inactive)
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: