Limit application license count to specific Crowd groups

We've recently installed Crowd in our Test environment, which has Bitbucket (BB), JIRA, and Confluence.  We've created a Delegated AD directory in Crowd, and we can manually add AD/LDAP-based users to that Directory.  We'd like to use this Directory for ALL of the apps, so we only have to create users in one Directory, and so that groups are consistent across all apps.

We added 12 users to Crowd, and put all of them into a "bitbucket-users" group.

We created an Application for BB in Crowd, and configured it so that only members of the bitbucket-users group can log into the Application.  We then linked BB to this Crowd Directory/Application, and the users can login.  Removing a user from the bitbucket-users group (and re-sync'ing the Dir inside BB) prevents the user from logging in.  Up that point, everything seemed to work exactly as as wanted.

However, after removing some users from the bitbucket-users group as described above, the BB license count does NOT go down.  Since BB can see the whole Crowd Directory (12 users), it's assigning licenses to all 12 of them.  However, only 10 of them can login, after removing 2 of them from the bitbucket-users group.

We need BB to only consume 10 licenses (the # of users in the bitbucket-users group, i.e., the # of users who can actually login), and to NOT consume a license for every user in the Directory.  We have 250 BB licenses, and 2000 Confluence licenses, but if we add our 2000 Confluence users to the same Directory (using different groups), BB will still see those 2000 users and we'll be over our license limit.

I'm hoping that I'm missing something, but if not, I see some options, none of which I love:

  1. Create separate Directories, one per Application, but this means duplicating users in different Directories
  2. Stop using the Delegated AD type of Directory, and switch to something like an AD "connector", and specify a custom LDAP query, but this means that we need to move our group management to AD/Outlook (would rather do it in Crowd), and it still means a separate Directory for each Application.

is there anything I'm missing, or better ways to do this?  How do others setup their Crowd Directories and Applications?




1 answer

1 accepted

0 votes
Accepted answer
Lukasz Pater Atlassian Team May 30, 2016

Hi James,

Currently the list of groups defined for the application in Crowd limits which users can authenticate, but doesn't impact synchronisation (i.e. all users and groups from the directories assigned to the application will be synchronised). There's a feature request to change this behaviour here. Please have a look, vote for it and comment with your use case.

In the interim you should be able to keep using a shared directory by making sure that only the 'bitbucket-users' group has the 'Bitbucket User' global permission in Bitbucket Server. This will cause only users that are members of that group to consume a license in Bitbucket, while other users will not. See here for more details on configuring global permissions in Bitbucket Server.

Thanks, you're right.  I wasn't watching the "Bitbucket User" global permission closely enough.  Several of the folks I was removing from the bitbucket-users group were also directly in the "Bitbucket User" global permissions as admins, so removing them from the group was not affecting the license count since they still had global permissions.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

1,907 views 7 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you