Issue Summary

When configuring an external directory with "Read-only, with local groups" and adding a group to the "Default Group Membership":

• If the group already exists in the local Jira directory, a new entry is added to the cwd_group DB table with the same group associated with the external directory.

  jira=# select * from cwd_group where group_name='Test_group_local';
    id   |    group_name    | lower_group_name | active | local |        created_date        |        updated_date        | description | lower_descrip
  tion | group_type | directory_id | external_id
  -------+------------------+------------------+--------+-------+----------------------------+----------------------------+-------------+--------------
  -----+------------+--------------+-------------
   10110 | Test_group_local | test_group_local |      1 |     0 | 2022-10-14 12:08:19.608+00 | 2022-10-14 12:08:19.608+00 |             |
       | GROUP      |            1 |
   10156 | Test_group_local | test_group_local |      1 |     1 | 2022-10-14 12:23:01.594+00 | 2022-10-14 12:23:01.594+00 |             |
       | GROUP      |        10000 |
  (2 rows)

• If the group doesn't exist, a new entry is created for that group in the cwd_group and it's associated with the external directory.

  jira=# select * from cwd_group where group_name='test_group1';
    id   | group_name  | lower_group_name | active | local |        created_date        |        updated_date        | description | lower_description
  | group_type | directory_id | external_id
  -------+-------------+------------------+--------+-------+----------------------------+----------------------------+-------------+-------------------
  +------------+--------------+-------------
   10111 | test_group1 | test_group1      |      1 |     1 | 2022-10-14 12:11:18.193+00 | 2022-10-14 12:11:18.193+00 |             |
  | GROUP      |        10000 |
  (1 row)

In both cases, a new entry is created for that group but the group is not "really" added to the Active Directory because the setting is "Read-only, with local groups" which means:

LDAP users, groups and memberships are retrieved from your directory server and can only be modified via your directory server. You cannot modify LDAP users, groups or memberships via the application administration screens. However, you can add groups to the internal directory and add LDAP users to those groups.

However, if you remove the group from the "Default Group Membership" field, or change the directory type to "Read-only" or "Read/Write", the added entry in the DB is not removed.

This causes confusion especially after changing the LDAP Permission to "Read-only" where the group can not be removed and the customer is confused about where the group comes from in the first place.

Steps to Reproduce

1. Integrate Jira with an external directory using the "Read-only, with local groups" LDAP Permission.
2. Add a new group to the "Default group membership" field by typing its name.
3. Test and save.
4. Check in the database, you will notice a new entry is created in the cwd_group table is created for that group and it's associated with the external directory.
5. Edit the directory confug and change the directory type to "Read-only".
6. Go to the user management > groups, and search for the group used in step 2. Try to delete that group.

Expected Results

1. The group is deleted because it's not used in the configuration anymore.

Actual Results

1. You receive an error mentioning "You do not have permission to remove this group from all directories in which it occurs".

Workaround

1. Change the LDAP permission back to "Read-only, with local groups". This will allow you to delete the group initially used in the configuration.