I have Confluence configured to use JIRA as it's user repository.
Observation: All users in the JIRA repository appear to be allowed to log in to Confluence, though they don't have rights to see anything by default.
Desire: I would like to prevent anyone not explicitly granted login permission from logging in. Is this possible?
Yes. Go to global permissions in both JIRA and Confluence and look at the "can use" permission - that determines what groups can log into each of them.
I suspect you will find it names "jira-users" in both - you'll want to remove that from confluence and replace it with a group such as "confluence users"
I'm not seeing what you describe. In Jira I have these relevant groups configured: jira-users (3 users), jira-administrators (1 user), confluence-users (0 users), and confluence-administrators (0 users). In Confluence I have one user ("admin") assigned to the confluence-administrators and confluence-users group. Looking at the global permissions page in Confluence, only the confluence-administrators and confluence-users groups have "can use" checked. Individual users and anonymous users are not given access. However, any user in the Jira directory is being allowed to log in to Confluence. They see a page that says "You are not permitted to perform this operation.", though they ARE logged in. I'm concerned that this will waste one of my user licenses in Confluence.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
If I look at the user who logged in I can see their Last Login date is just a few moments ago, even though they shouldn't have access to Confluence.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The login date is not that important, and it happens even when you don't have access. If you try to log in (and that can be from an addon or linked page), if it finds you in the directory, it's a login, even if it then goes on to say "ah, but you can't actually use me". Bit of a pain to be honest. The thing to check is the number of active users in each system - if you look at the system info page it should tell you how many *active* users you have. When you're counting these, bear in mind the rules: - It *is* "this user can log in" - It de-duplicates accounts - if you are in three groups that allow login for some reason, then you will only count once - Inactive users can be flagged in the user maintenance, but still appear in the login groups - "can use" is the most important permission, but *admin* users can always log in too, and hence they always count. Even if they don't exist in the users group, they can log in. I would expect your JIRA to show 3 users (I am assuming that your admin is in both jira-administrators and jira-users) and Confluence to show just 1.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yea, I confirmed the license usage is being reported as I'd want it to be, so that's good. I just don't really like being able to log in when you can't really use the system. No access should literally mean no access.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.