Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Assign App Access to SCIM synced groups

spencmax
spencmax May 27, 2025

I'm using SCIM to provision users and groups to my Identity Provider (with verified domain) in Atlassian. I'd like to grant app access to the synced groups, but I'm not seeing any way to do that. Is this possible?

Navigating to Security -> Identity Providers -> <my_idp> -> View Groups, I can see the groups I synced over for testing, but see no way to assign app access to them. Delete is the only option.

Screenshot 2025-05-27 at 6.05.22 PM.png

 

If I go to Directory -> Groups, the synced groups are not shown there, so from this view I'm only able to add app access to non-synced groups

Screenshot 2025-05-27 at 6.06.43 PM.png

I also thought the Apps page might allow what I'm attempting, but that doesn't work either. Only non-synced groups show in the dropdown when adding a group to an app. Using my Bitbucket app as an example and clicking `Add Groups`: 

Screenshot 2025-05-27 at 6.11.00 PM.png

 

How can I add group access to my IdP synced groups (e.g. 'another atlassian group') in the same way I'm able to add them to non-synced groups?

Answer
Watch
Like Steffen Opel _Utoolity_ likes this
507 views

2 answers

1 accepted

2 votes
Answer accepted
spencmax
spencmax June 6, 2025

After reaching out to support, this was confirmed to be an existing, known bug. Groups created via the SCIM API will not display on the Directory -> Groups page nor the 'Add groups' dropdown for apps if all apps in the organization are "siteless."

The workarounds are:

  • Add at least one sited product (E.g. Jira Software, Statuspage), or
  • Contact Atlassian Support to enable SCIM for a siteless organization

In my case, I initially only had Bitbucket (siteless). I added Statuspage and then SCIM-created groups began appearing in all the expected places. 

 

View More Comments
Kieren _SmolSoftware_
Kieren _SmolSoftware_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 7, 2025

Nice work!

Like
Reply
0 votes
Kieren _SmolSoftware_
Kieren _SmolSoftware_
Atlassian Partner
May 27, 2025

Hi @spencmax 

From what I can see, it looks like you're doing all the right things. The SCIM groups should show up in your Groups list, and they should be available to add to your apps.

Can you look at the Identity Provider status page and tell us what you see? Here's an example of mine. Do the logs indicate that a successful sync has already occurred?

Screenshot 2025-05-28 at 11.24.53 am.png

View More Comments
spencmax
spencmax May 27, 2025

Hi, Kieren!

 

Thanks for the response! A screenshot of my identity provider page is below. A couple additional details I should have mentioned prior, just in case they're relevant:

More notably, it seems like provisioning works a bit different in my setup than what's in your screenshot. Yours has text stating "Users sync every 4 hours," which implies a "pull" from Google to Atlassian, initiated by Atlassian. In my case, there is no scheduled sync, but rather my app pushes updates to Atlassian on-demand, and there is no scheduled sync time. I'm not sure if any of that makes a difference to expected behavior in the UI.

 

Note: the error count shown for provisioning in the IdP screenshot page can be ignored. That's expected due to me testing various scenarios with my application's API calls.

Screenshot 2025-05-27 at 8.45.11 PM.png

Screenshot 2025-05-27 at 8.43.24 PM.png

Like
spencmax
spencmax May 27, 2025

I should add, regarding my statement:

Yours has text stating "Users sync every 4 hours," which implies a "pull" from Google to Atlassian, initiated by Atlassian.

this is just a guess on my part. Looking at Google's documentation for the integration, it does seem they push updates to Atlassian on-demand as well.

https://support.google.com/a/answer/9288575?hl=en

Like
Kieren _SmolSoftware_
Kieren _SmolSoftware_
Atlassian Partner
June 1, 2025

I've never tried it using the SCIM APIs sorry.

Do you have the logs from the APIs? I assume they were successful?

Like
spencmax
spencmax June 2, 2025

Correct, the group provisioning was successful. From the audit logs:

Screenshot 2025-06-02 at 3.36.32 PM 1.pngScreenshot 2025-06-02 at 3.37.07 PM.png

Like
spencmax
spencmax June 2, 2025

Inspecting network traffic when viewing each page, I can see that the Directory -> Groups page calls this to fetch the groups to display:

/gateway/api/adminhub/um/org/<org_id>/groups?count=20&start-index=1

While the Security -> Identity Provider -> my_idp -> View Groups page instead calls:

/gateway/api/adminhub/external-directory/manage-directory/<idp_id>/synced-group-memberships?startIndex=1&count=20

 

I know that doesn't really mean much on its own, but given the groups seem to come from different API handlers for the Atlassian admin UI, it makes me wonder if groups created via SCIM API are not expected to be visible in the rest of the admin portal and cannot be used to assign app access. 

Like
Kieren _SmolSoftware_
Kieren _SmolSoftware_
Atlassian Partner
June 3, 2025

The Group page and the IDP management pages were built by completely different teams, on different databases, so it's reasonable that they have different API calls.

Given the audit logs show the group was created, and you're unable to see the group in your Group List, I'd suggest contacting Atlassian support for more help. Sorry the community couldn't solve this one, but report back if you get an answer!

 

Like spencmax likes this
spencmax
spencmax June 6, 2025

Confirmed to be a bug! Additional details in the answer I added. Thank you again for your help and for the suggestion to contact support.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Atlassian logo
Atlassian Guard
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security