We are going to be switching to Active Directory to manage our Confluence users. Is there a way to filter users? We don't want everyone in Active Directory to have access to the wiki.
In the LDAP setup under "User Schema Settings" you would specify and LDAP query in the "User Object Filter" field. It could be something like this ...
This above query would return users that are classified in LDAP as a "Person", aren't disabled, and are part of the confluence-users group in LDAP.
The filter will not make everyone a member of the confluence users group. The filter below will instruct confluence to only sync users who are members of the confluence-users group into Confluence. That is just an example of how to do it and happens to be how we do it in my organization.
This is how we set up our Confluence and Jira instances to work with AD. We have an OU in AD for all our Confluence groups and another one for our Jira groups. The group names all start with "confluence-" or "jira-" respectively. For the AD group and user filters we set them up this way.
User Object Filter
The above filter will only pull in users that have an enabled account and are part of the confluence-users group. For Jira you would change the group name to jira-core-users or jira-software-users depending on which you have. The userAccountControl portion is how it limits to only enabled accounts. The memberOf portion is where we specify to only bring in people that are members of the confluence-users group. You would need to the change the filter to represent the distinguishedName of your confluence-users group. So, basically this group is what gets you access to Confluence. This group is only used for that purpose. It is not used for space permissions or page restrictions. It is simply the group that is used to say that you can log into Confluence and consume a license. Then in Confluence Administration -> Users & Security -> Global Permissions we set up the global permissions like this.
Group Object Filter
This filter says to simply look through AD and pull in any group that starts with confluence -. For Jira the filter says jira-* instead. This will pull all your Confluence/Jira AD groups into Confluence and Jira and you can then use then for permissions to spaces and page restrictions or projects for Jira.
I would recommend whenever you do permissions in Confluence and Jira (unless you are a super small shop ... even then maybe) to never give permissions to people. Instead give permissions to groups and then assign people to the groups ... even if there is only one person in the group. This helps to future proof you permissions. Eventually those employees will quit and it is a pain to have to hunt down all the spaces, pages, and projects they were assigned to and remove those permissions. It is way easier to just simply remove someone's group permissions. Besides what if you miss something and re-hire that person to a different position and didn't get rid of all the old permissions? They may have access to stuff that they should not. So, I ALWAYS recommend assigning permissions to groups, not people.
- Create your own custom emoji 🔥 - "Shake for Feedback" on mobile 📱 - An endless supply of GIFs via GIPHY 🤩 Is there anything quite as nice as a pleasant surprise? Comment below with what...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events