How to Filter Users When Using Active Diredctory
4 answers
1 accepted
This is how we set up our Confluence and Jira instances to work with AD. We have an OU in AD for all our Confluence groups and another one for our Jira groups. The group names all start with "confluence-" or "jira-" respectively. For the AD group and user filters we set them up this way.
User Object Filter
(&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=CN=confluence-users,OU=Path,OU=To,OU=Group,DC=domain,DC=dom))
The above filter will only pull in users that have an enabled account and are part of the confluence-users group. For Jira you would change the group name to jira-core-users or jira-software-users depending on which you have. The userAccountControl portion is how it limits to only enabled accounts. The memberOf portion is where we specify to only bring in people that are members of the confluence-users group. You would need to the change the filter to represent the distinguishedName of your confluence-users group. So, basically this group is what gets you access to Confluence. This group is only used for that purpose. It is not used for space permissions or page restrictions. It is simply the group that is used to say that you can log into Confluence and consume a license. Then in Confluence Administration -> Users & Security -> Global Permissions we set up the global permissions like this.
(&(objectCategory=Group)(sAMAccountName=confluence-*))
This filter says to simply look through AD and pull in any group that starts with confluence -. For Jira the filter says jira-* instead. This will pull all your Confluence/Jira AD groups into Confluence and Jira and you can then use then for permissions to spaces and page restrictions or projects for Jira.
I would recommend whenever you do permissions in Confluence and Jira (unless you are a super small shop ... even then maybe) to never give permissions to people. Instead give permissions to groups and then assign people to the groups ... even if there is only one person in the group. This helps to future proof you permissions. Eventually those employees will quit and it is a pain to have to hunt down all the spaces, pages, and projects they were assigned to and remove those permissions. It is way easier to just simply remove someone's group permissions. Besides what if you miss something and re-hire that person to a different position and didn't get rid of all the old permissions? They may have access to stuff that they should not. So, I ALWAYS recommend assigning permissions to groups, not people.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.