I have Confluence configured to use JIRA as it's user repository.
Observation: All users in the JIRA repository appear to be allowed to log in to Confluence, though they don't have rights to see anything by default.
Desire: I would like to prevent anyone not explicitly granted login permission from logging in. Is this possible?
Yes. Go to global permissions in both JIRA and Confluence and look at the "can use" permission - that determines what groups can log into each of them.
I suspect you will find it names "jira-users" in both - you'll want to remove that from confluence and replace it with a group such as "confluence users"
I'm not seeing what you describe. In Jira I have these relevant groups configured: jira-users (3 users), jira-administrators (1 user), confluence-users (0 users), and confluence-administrators (0 users). In Confluence I have one user ("admin") assigned to the confluence-administrators and confluence-users group. Looking at the global permissions page in Confluence, only the confluence-administrators and confluence-users groups have "can use" checked. Individual users and anonymous users are not given access. However, any user in the Jira directory is being allowed to log in to Confluence. They see a page that says "You are not permitted to perform this operation.", though they ARE logged in. I'm concerned that this will waste one of my user licenses in Confluence.
The login date is not that important, and it happens even when you don't have access. If you try to log in (and that can be from an addon or linked page), if it finds you in the directory, it's a login, even if it then goes on to say "ah, but you can't actually use me". Bit of a pain to be honest. The thing to check is the number of active users in each system - if you look at the system info page it should tell you how many *active* users you have. When you're counting these, bear in mind the rules: - It *is* "this user can log in" - It de-duplicates accounts - if you are in three groups that allow login for some reason, then you will only count once - Inactive users can be flagged in the user maintenance, but still appear in the login groups - "can use" is the most important permission, but *admin* users can always log in too, and hence they always count. Even if they don't exist in the users group, they can log in. I would expect your JIRA to show 3 users (I am assuming that your admin is in both jira-administrators and jira-users) and Confluence to show just 1.
Two vulnerabilities have been published for Confluence Server and Data Center recently: March 20, 2019 CVE-2019-3395 / CVE-2019-3396 April 17, 2019 CVE-2019-3398 The goal of this article is...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs