It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How to Filter Users When Using Active Diredctory

We are going to be switching to Active Directory to manage our Confluence users.  Is there a way to filter users?  We don't want everyone in Active Directory to have access to the wiki.

Regards,

Kay

4 answers

1 accepted

0 votes
Answer accepted
Davin_Studer Community Leader May 16, 2016

In the LDAP setup under "User Schema Settings" you would specify and LDAP query in the "User Object Filter" field. It could be something like this ...

(&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=CN=confluence-users,OU=yourSubfolder,OU=yourFolder,DC=yourdomain,DC=com))

This above query would return users that are classified in LDAP as a "Person", aren't disabled, and are part of the confluence-users group in LDAP.

Hi Davin,

I am sorry, I am probably not being very clear.  I don't want everyone that is listed in Active Directory to become a member of the confluence-users group.

Regards,

Kay

Davin_Studer Community Leader May 17, 2016

The filter will not make everyone a member of the confluence users group. The filter below will instruct confluence to only sync users who are members of the confluence-users group into Confluence. That is just an example of how to do it and happens to be how we do it in my organization.

0 votes
Davin_Studer Community Leader Dec 02, 2019

This is how we set up our Confluence and Jira instances to work with AD. We have an OU in AD for all our Confluence groups and another one for our Jira groups. The group names all start with "confluence-" or "jira-" respectively. For the AD group and user filters we set them up this way.

User Object Filter

(&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=CN=confluence-users,OU=Path,OU=To,OU=Group,DC=domain,DC=dom))

The above filter will only pull in users that have an enabled account and are part of the confluence-users group. For Jira you would change the group name to jira-core-users or jira-software-users depending on which you have. The userAccountControl portion is how it limits to only enabled accounts. The memberOf portion is where we specify to only bring in people that are members of the confluence-users group. You would need to the change the filter to represent the distinguishedName of your confluence-users group. So, basically this group is what gets you access to Confluence. This group is only used for that purpose. It is not used for space permissions or page restrictions. It is simply the group that is used to say that you can log into Confluence and consume a license. Then in Confluence Administration -> Users & Security -> Global Permissions we set up the global permissions like this.

image.pngGroup Object Filter

(&(objectCategory=Group)(sAMAccountName=confluence-*))

 This filter says to simply look through AD and pull in any group that starts with confluence -. For Jira the filter says jira-* instead. This will pull all your Confluence/Jira AD groups into Confluence and Jira and you can then use then for permissions to spaces and page restrictions or projects for Jira.

I would recommend whenever you do permissions in Confluence and Jira (unless you are a super small shop ... even then maybe) to never give permissions to people. Instead give permissions to groups and then assign people to the groups ... even if there is only one person in the group. This helps to future proof you permissions. Eventually those employees will quit and it is a pain to have to hunt down all the spaces, pages, and projects they were assigned to and remove those permissions. It is way easier to just simply remove someone's group permissions. Besides what if you miss something and re-hire that person to a different position and didn't get rid of all the old permissions? They may have access to stuff that they should not. So, I ALWAYS recommend assigning permissions to groups, not people.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

What project did you transition or start on Confluence with the shift to remote work?

It’s been great to hear from fellow users over the last few weeks about the best tips and fun moments you’ve had working on Confluence since the transition to working remote. I’d love to keep the c...

382 views 11 11
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you