It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Limit application license count to specific Crowd groups

James Tuttle May 25, 2016

We've recently installed Crowd in our Test environment, which has Bitbucket (BB), JIRA, and Confluence.  We've created a Delegated AD directory in Crowd, and we can manually add AD/LDAP-based users to that Directory.  We'd like to use this Directory for ALL of the apps, so we only have to create users in one Directory, and so that groups are consistent across all apps.

We added 12 users to Crowd, and put all of them into a "bitbucket-users" group.

We created an Application for BB in Crowd, and configured it so that only members of the bitbucket-users group can log into the Application.  We then linked BB to this Crowd Directory/Application, and the users can login.  Removing a user from the bitbucket-users group (and re-sync'ing the Dir inside BB) prevents the user from logging in.  Up that point, everything seemed to work exactly as as wanted.

However, after removing some users from the bitbucket-users group as described above, the BB license count does NOT go down.  Since BB can see the whole Crowd Directory (12 users), it's assigning licenses to all 12 of them.  However, only 10 of them can login, after removing 2 of them from the bitbucket-users group.

We need BB to only consume 10 licenses (the # of users in the bitbucket-users group, i.e., the # of users who can actually login), and to NOT consume a license for every user in the Directory.  We have 250 BB licenses, and 2000 Confluence licenses, but if we add our 2000 Confluence users to the same Directory (using different groups), BB will still see those 2000 users and we'll be over our license limit.

I'm hoping that I'm missing something, but if not, I see some options, none of which I love:

  1. Create separate Directories, one per Application, but this means duplicating users in different Directories
  2. Stop using the Delegated AD type of Directory, and switch to something like an AD "connector", and specify a custom LDAP query, but this means that we need to move our group management to AD/Outlook (would rather do it in Crowd), and it still means a separate Directory for each Application.

is there anything I'm missing, or better ways to do this?  How do others setup their Crowd Directories and Applications?




1 answer

1 accepted

0 votes
Answer accepted
Lukasz Pater Atlassian Team May 30, 2016

Hi James,

Currently the list of groups defined for the application in Crowd limits which users can authenticate, but doesn't impact synchronisation (i.e. all users and groups from the directories assigned to the application will be synchronised). There's a feature request to change this behaviour here. Please have a look, vote for it and comment with your use case.

In the interim you should be able to keep using a shared directory by making sure that only the 'bitbucket-users' group has the 'Bitbucket User' global permission in Bitbucket Server. This will cause only users that are members of that group to consume a license in Bitbucket, while other users will not. See here for more details on configuring global permissions in Bitbucket Server.

James Tuttle May 31, 2016

Thanks, you're right.  I wasn't watching the "Bitbucket User" global permission closely enough.  Several of the folks I was removing from the bitbucket-users group were also directly in the "Bitbucket User" global permissions as admins, so removing them from the group was not affecting the license count since they still had global permissions.

Suggest an answer

Log in or Sign up to answer
This widget could not be displayed.
This widget could not be displayed.
Community showcase
Published in Bitbucket Pipelines

Building a Bitbucket Pipe as a casual coder :  #!/bin/bash source "$(dirname "$0")/" enable_debug extra_args="" if [[ "${DEBUG}" == "true" ]]; then extra_args="--verbose" fi # mandatory variables R...

1,865 views 1 19
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you