-
Suggestion
-
Resolution: Won't Fix
-
None
-
143
-
Hi All,
The "JSM Customer" role is designed to explicit access to specific individuals and groups. This role exists to minimise the risk of permissions escalation and unauthorised access to JSM sites and portals.
We suggest two recommended implementations to seamlessly grant your help desk users access:
(1) Configuring "Approved Domains" to assign users the "Customer" role
Approved domains allows admins to grant users the "Customer" role when they interact with your JSM site (this could be via email/portal or any other channel)
When a user interacts with your JSM site and belongs to an "Approved domain" they will be granted the correct level of product access (Based on your "Approved domains" settings). When configured with the "Customer" role they will be able to seamlessly raise requests and access your help center without admins intervening.
(2) Atlassian Access (Guard) SCIM sync Groups via Identity Providers
Atlassian is able to sync "groups" from your connected Identity Providers. Using a user group synchronized from the Identity Provider and assigning this group "Customer" access under the Organizations (Admin Hub > Products > Select site > Product access), is the most common method to ensure they are granted this role with immediate access to Open service projects.
These "groups" are synced with your IdP - your users accounts are immediately created and licences are immediately granted.
Both of these options seamlessly grant your users the "Customer" role and access to raise tickets without admins intervening.
If these options aren't appropriate for your JSM setup - Please leave me a comment on this ticket so we can discuss your scenario further
Many thanks,
Ash Young
Product Manager, JSM
Summary
Since the implementation of the Jira Service Management Customer Role, accounts provisioned via Atlassian (SCIM) won't have Customer permissions right off the bat.
Workaround
Companies that need to provision their customers into JSM will need to:
1. Create a new group in their Identity Provider (Okta, Azure, etc)
2. Add everyone they want as a customer to this group.
3. Sync the group into Atlassian Cloud, setting it as an access group for the Jira Service Management - Customer application access.
- is related to
-
ACCESS-1767 Provisioning users with certain application access does not add them to the default access groups for that application
-
- Closed
-
-
- Gathering Interest
-
ENT-1999 Failed to load
- mentioned in
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
-
-
- Wiki Page
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDCLOUD-12954] Provisioned accounts should have Customer access by default
It's disappointing that this ticket is not being considered anymore. We've released an app to fix this issue, Admin Automation, and to solve other challenging and time consuming admin tasks. The app will sync users from any groups (e.g. a group from an IdP) into the default product access groups.
The two recommended options in this ticket are ok alternatives, but either:
- Don't grant the customer access until they try to get into the product the first time. Or,
- Don't use the default product access groups, requiring additional setup within your Jira instances to use the IdP groups and default product access groups.
Hopefully it can help some of the people on this thread!
-Kieren
Co-Founder @ Smol Software | Ex-Atlassian
Is there any update on this issue?
We are still needing to manually enable the Jira Service Management - Customer option for all new users.
Dear Ash Young,
thank you for updating this issue. Well, your first point - automatically add customers to the default customer group based on their domain, did not work in the last 14 months. Has this been fixed?
Chris