It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Restrict Service Desk Portal signup to a specific Domain

Hi all, we want to start using Service Desk.

We have ~1600 people in the company. Only the IT Department and a few others have Jira access (300 User License)

The other ~1300 should be able to request help via the customer portal. As we don't want to manage all "Portal only" users manually, we want to use the sign up functionality.

Problem:

Everyone can signup there, which is sth. we don't want at all. So we want to restrict the signup to a specific email domain.

The general functionality is in the Jira admin section (Site Settings -> Self Signup)

2018-04-25_18-00-44.jpeg

 

But this doesn't affect the Customer Portal signup.

Does someone have an idea how to manage that ?

 

Thanks in advance!

Best, Andre

 

3 answers

I recently fought a very similar problem, and was able to solve it with the Script Runner and the Script Listeners. I've posted both the script I used to block a domain that was spamming us.  I've also modified and tested the script to show how you can accomplish your goal of only allowing a certain domain.

  1. After installing go to Admin Cog > Add-Ons > SCRIPTRUNNER category in left panel > Script Listeners
    1. https://yourServiceDesk/plugins/servlet/scriptrunner/admin/listeners
  2. Click Add New Item > Custom Listener
  3. Set Events to monitor UserCreatedEvent
  4. To block a certain domain
    1. import com.atlassian.jira.user.ApplicationUser
      import com.atlassian.crowd.model.user.User
      import com.atlassian.crowd.event.user.UserCreatedEvent
      import com.atlassian.jira.component.ComponentAccessor
      import com.atlassian.jira.bc.user.UserService

      // Catch the UserCreatedEvent and get the User
      def newUserEvent = event as UserCreatedEvent;
      User newUser = newUserEvent.getUser();
      String email = newUser.getEmailAddress();

      // Define the domain you want to block
      String spamDomain = "@spam.xyz";

      if (email.toUpperCase().endsWith(spamDomain.toUpperCase())){

      log.error "SPAMBOT DETECTED! " + email;

      def userService = ComponentAccessor.getComponent(UserService)
      def userManager = ComponentAccessor.getUserManager();

      // Set the user account we want to run delete permissions with
      ApplicationUser runAsUser = userManager.getUserByKey("yourJiraAdminAccount")

      // validate permissions
      final UserService.DeleteUserValidationResult result = userService.validateDeleteUser(runAsUser, email)
      if (result.isValid()) {
      log.error "SPAMBOT REMOVAL VALID - $email"
      userService.removeUser(runAsUser, result)
      log.error "SPAMBOT REMOVAL SUCCESSFUL - $email"
      }
      else
      {
      log.error "REMOVAL INVALID - $email"
      }

      }
  5. To only allow a certain domain
    1. import com.atlassian.jira.user.ApplicationUser
      import com.atlassian.crowd.model.user.User
      import com.atlassian.crowd.event.user.UserCreatedEvent
      import com.atlassian.jira.component.ComponentAccessor
      import com.atlassian.jira.bc.user.UserService

      // Catch the UserCreatedEvent and get the User
      def newUserEvent = event as UserCreatedEvent;
      User newUser = newUserEvent.getUser();
      String email = newUser.getEmailAddress();

      // Define the domain you want to allow
      String allowedDomain = "@safeDomain.com";

      if (!email.toUpperCase().endsWith(allowedDomain.toUpperCase())) {

      log.error "EXTERNAL ATTEMPT DETECTED! " + email;

      def userService = ComponentAccessor.getComponent(UserService)
      def userManager = ComponentAccessor.getUserManager();

      // Set the user account we want to run delete permissions with
      ApplicationUser runAsUser = userManager.getUserByKey("yourJiraAdminAccount")

      // validate permissions
      final UserService.DeleteUserValidationResult result = userService.validateDeleteUser(runAsUser, email)
      if (result.isValid()) {
      log.error "EXTERNAL ATTEMPT REMOVAL VALID - $email"
      userService.removeUser(runAsUser, result)
      log.error "EXTERNAL ATTEMPT REMOVAL SUCCESSFUL - $email"
      }
      else
      {
      log.error "EXTERNAL ATTEMPT REMOVAL INVALID - $email"
      }

      }

Hi Patrick,

This script works fine. But, it is not showing any warning/ error message on screen if any user tries to sign up other than the allowed domains. Could you please help us to add that message in the script.

Santosh,

I wish I could be of more assistance, but I have not looked into how to pass feedback to the browser. Since my use case was blocking spam, I actually didn't want any feedback given.

Good luck,

Patrick

Patcrick,

This helps. But, what if user sign up with the expected domain and a fake email id. Like, falsemailid@SafeDomain.com

Is there any way we can have a verification for this?

Thanks.

Santhosh,

To accomplish that there would need to be a way to validate the email address with an API (there are several available, I've never used any), and then integrate that with the GroovyScript (there's probably a way) to give feedback.

Because the domain is trusted / configured in the script, you would have to rely on something external to JIRA to validate the address is truly a real email. The exception to that is if you have a full list of valid email addressses available to JIRA (via something like LDAP integration, SQL Server view, etc).

+1 vote.  We need this flexibility, as we are providing support via JSD to 3 large companies that are competitors of each other, and the TIME it takes to allow 1 user at a time per JSD project is crippling.

If we could allow access to JSD portal by group / domain name i..e. @companyname1.com vs @Company_name_2.com > this would make much more sense.

0 votes
Jack Community Leader Apr 25, 2018

Unless something has changed, for which i would be pleasantly surprised, this is not possible. The best thing to do is to add the customers manually. If you can generate a CSV of the users emails you can copy and paste into the "add customers" input area.

Hi Jack,

 

thanks for the quick Answer!

Do you know if we connect our Jira via SAML (s. Picture) if this would have an effect for the service portal signup ?

 

2018-04-26_14-07-54.jpeg

 

 

Thanks in advance!

Best, Andre

Mohammed Amine Community Leader Jul 19, 2018

any feedback on using SAML ? Does it solve your problem ?

kind regards

SAML works for the domain users, which is great. But still allows non-domain users to log in.

This seems like a pretty simple request for Atlassian: just a whitelist for new accounts and trigger an error if they don't match a domain. I 

Like # people like this

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Jira Service Desk

Tell us how you've implemented Change Management

Hello Community 👋, I'm a product manager at Atlassian, looking at improving change management capabilities across our products. In particular, we're looking at bridging the gap between Dev & ...

270 views 0 5
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you