Provisioning users and groups
5 min
Advanced
By the end of this lesson, you'll be able to:
- Enable user and group provisioning
- Provision users and groups
Enable user provisioning in your organization
Before you can provision users and groups, you have to setup Atlassian Guard and our IDP to communicate with each other.
👇 Click the boxes below to explore the three items you establish to enable user provisioning.
To enable user provisioning:
- Go to admin.atlassian.com and select your organization.
- Under the Security tab, select the Identity providers tab.
- Select the user directory for user provisioning.
- In the User provisioning section, select Set up provisioning.
- Copy the provided SCIM base URL and API key to your identity provider.
- Configure the provisioning from the identity provider to Atlassian Guard making sure to enable creating users in Atlassian Cloud when they are created in the identity provider.
- Save your SCIM configuration.
If there is no identity provider, you can create one by selecting Add identity provider in the Identity providers tab under the Security tab.
Provisioning users
Once your IDP is connected to your service provider (Atlassian Guard), you can create new users in your IDP and they will automatically get access to your Atlassian Cloud applications and any other applications your IDP communicates with.
To provision users from an identity provider:
- Go to your identity provider.
- Create a new user account associated to the Atlassian cloud application on your identity provider.
- Sync users for the Atlassian cloud application.
- Go back to the admin hub and under the Directory tab, select the Users tab.
- Verify the new user has been added to your organization.
Provisioning groups
You can create groups in your IDP and use them with service providers like Atlassian Guard.
The best practice is to grant access to applications through groups so you can control application access straight from your identity provider. When you assign or remove users from groups, you grant or revoke their access to applications.
👉 For example: The engineering group may have access to Jira in the Atlassian Cloud, but can also access other development tools.
To provision groups from an identity provider:
- Go to your identity provider.
- Go to the Atlassian cloud application created on your identity provider and that you linked to Atlassian Guard.
- Select a group and synchronize it or Push it to the Atlassian cloud application.
- Switch back to the admin hub and under the Security tab, go to Identity providers tab.
- Under Synced groups, select View groups.
- Verify the newly pushed group are listed.
One benefit of using identity providers is the ability to create groups with access to all the necessary applications. This means that creating users in your identity providers and assigning them to groups will automatically grant them application access.
Deactivate users from your IDP
As part of the offboarding process in your company, you might need to deactivate users. The IT team can do this from the identity provider to reduce the load of tasks on org admins.
To deactivate a user straight from your identity provider:
- Find and deactivate the user in your identity provider.
- Go to admin.atlassian.com and select your organization.
- Under the Directory tab, go to Users.
- Verify the user no longer has access to your organization. The user should not appear in the user list.
You can follow the same steps to reactivate the user again.
How was this lesson?
next lesson
What is Atlassian Guard?
- Atlassian Guard enables org admins to secure their organization centrally
- Features Atlassian Guard enables
- How billing works for Atlassian Guard