Since migrating to SSO new users are no longer added to our jira-users and confluence-users groups. Instead, users are added to groups synced from our idp. We have replicated global permissions, jira permission schemes and space permissions and added the groups to product access but it is not possible to switch default access groups from the product permissions admin page. The option is not available and the tooltip says: "this is a read only group and cannot be set as default" so I have two questions:
1. Is it possible to change default access groups to a synced group and if so how?
2. Given that permissions and access is aligned with the default access groups, what difference does it make to change default access group? (bearing in mind that new users aren't automatically added to the group by our idp)
FYI: We never did get an answer to this question.
Here's what we did:
First, we gave the appropriate managed groups product access
Then we added the new managed groups to space defaults (confluence) and permission schemes where jira-users had been used (for Jira) - leaving the jira-users and confluence-users in place in the short term.
After that, we stopped adding people to jira-users and confluence-users. We have a slow trickle of calls for people who couldn't get access. In every case - this meant a specific project or space hadn't been updated so we fixed the space in question.
We never got hit with too many calls and over time the calls stopped with the new groups being key and the jira-users and confluence-users being legacy.
A few gotchas:
* Personal spaces - we fixed up team space permissions reasonably quickly, but personal spaces were not accessible by default for the admin group.
* JIra group permissions - this needs to be done on a project by project basis. It's OK to update permission schemes, but project roles are often granted to groups such as jira-users
* service accounts - for our IDP we only had human accounts to service accounts are not managed and still still in jira-users and confluence-users. if you want to clean out these groups, be careful. Also, the groups remain default.
I'm sure there is a better solution, but having migrated over and with no obvious alternative, this worked out OK for us in the end. It meant no big-bang transition and a very slow move to the new process, but all our users are now automatically synced and we have very little account management to worry about
Additionally, the text on the right reads: "When a user is granted access to a product, they will be added to the products default access group."
This makes it sound like that when a user is synced down from the IDP, Atlassian is supposed to add them automatically to jira-users and confluence-users. But this is also not happening for us.