Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-67347

Clarification about the message "Nesting of groups with 'JIRA Administrators' or 'JIRA System Administrators' permission is not supported." in the JIRA UI

XMLWordPrintable

    • Icon: Suggestion Suggestion
    • Resolution: Unresolved
    • None
    • Documentation - All
    • None
    • 2
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      When JIRA is configured with an LDAP directory with "nested groups" enabled, the following message is displayed in the UI when trying to Edit Nested Group Members:

      Nesting of groups with 'JIRA Administrators' or 'JIRA System Administrators' permission is not supported.

      This message is a bit misleading considering that:

      1. it is not possible to add a group as a member of a group which has JIRA Admin or JIRA System Admin permission, via the JIRA UI (expected behavior)
      2. it is possible to do it via the LDAP directory and by syncing JIRA with it (not expected behavior)

      Steps to reproduce the 2 scenarios listed above

      Scenario 1 (expected behavior)

      • Connect JIRA to an LDAP directory configured with nested groups enabled (this configuration will make the button "Edit Nested Group Members" visible from ⚙ > User Management > Groups)
      • Create a group called jira-admin in JIRA via ⚙ > User Management > Groups
      • Go to ⚙ > System > Global Permission and grant this group the JIRA System Admin permission
      • Go to ⚙ > User Management > Groups > Edit Nested Group Members
      • Notice that this group is not part of the list of groups to which nested groups can be added, since this group has the JIRA System Admin permission

      Scenario 2 (unexpected behavior)

      • Connect JIRA to an LDAP directory configured with nested groups enabled (this configuration will make the button "Edit Nested Group Members" visible from ⚙ > User Management > Groups)
      • Create a group called jira-admin in the LDAP directory
      • Create a group called group-nested-under-admin in the LDAP directory, and configured it as a member of the group jira-admin via LDAP
      • Create a user in LDAP that is a member of group-nested-under-admin
      • Sync JIRA with the LDAP directory
      • Notice that the user ends up being both a member of group-nested-under-admin AND jira-admin (and therefore is granted the Jira System Administrators permission)

      Suggested Solution

      It would be a good idea to:

      • either mention clarify this behavior in our official documentation about nested groups, since there is no explanation in the documentation about the statement "Nesting of groups with 'JIRA Administrators' or 'JIRA System Administrators' permission is not supported." that is displayed in the JIRA UI
      • or make the behavior consistent in both scenarios, to avoid any confusion

        1. Admin_Group_Page.png
          253 kB
          Julien Rey
        2. Admin_Users_Page.png
          163 kB
          Julien Rey

              tbartyzel Tomasz Bartyzel
              jrey Julien Rey (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: