Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Add all users in X groups to jira-users

Stian Bentsen Sveen
Stian Bentsen Sveen March 20, 2019

Hi,

We've set up a pretty rigid project access setup using security groups in AD.

All projects have a dedicated security group, "JIRA-Project-xxxx" that gives access to a specific project, and we also have some group that will have access to multiple projects (like f.ex "JIRA-Group-IT"), but we also want all these users to automatically become a member of jira-users so I can handle application access by giving jira-users "JIRA Software" access and not have to give that to every single group I make. I also want to use jira-users for our PMO since they want "any logged in user" to have access to their PMO project that contains project statuses etc for our business projects. Problem is, I cant delegate access to a project to "any logged in user" like I can with a filter / dashboard.

Also I cant auto add them to this group via user directories as they sync a whole bunch of users who shouldnt have JIRA access (only synced to become a customer in the Service Desk).

What I would've liked is to use f.ex ScriptRunner to create a scheduled job running so so often to get members from groups beginning with "JIRA-xxx" and incrementally add them to jira-users automatically.

Is this possible or is there another way I can do this?

I cant be adding every new JIRA Software user manually to this group in addition to the security group for the project.

Any ideas are welcome.

Thanks!

Br,

Stian

 

Answer
Watch
Like Be the first to like this
1290 views

1 answer

1 accepted

0 votes
Answer accepted
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 25, 2019

Hi,

The best way to approach this could require adjustments to both Jira and the structure of your AD/LDAP instance.   The examples in How to write LDAP filters can be useful here.  The ideal solution would be to use the matching components of distinguished names.  However our own KB notes that Active Directory specifically does not support this:

As Microsoft Active Directory does not implement extensible matching, the following examples won't work with it.

In your case, the ideal situation would be to have a parent group to all of the 'JIRA-Project-xxx' groups that exist.  In this way, you could then look at the nested group membership of this parent group and in turn assign application access on that one group.   

However from what you have stated so far, I can't tell if your Active Directory structure is setup this way or not.  This parent group should also be separated from any service desk only users to avoid granting them application access when those unlicensed users are not expected to have this.

One way you might look into here would be to separate your user directories in Jira to create a completely separate user directory just for syncing in the Service Desk customers that you don't want to have other application access.  This would at least allow you to create more specific LDAP filters in the user directory settings in Jira.

My thought process on this would then potentially allow you to more closely refine the LDAP filters in your other user directory that you want to use to assign jira-user membership to more easily.   

In addition to trying this approach, it's possible you might be able to use the Read only with local groups option here to help solve this.  This option let's you grant an internal group membership to all the users of a specific user directory.  If you can refine this directory down to be all the users you want in jira-users and exclude all the service desk users in the other user directory, this could be one way you could achieve this kind of group membership based on your security groups without having to completely re-arrange the LDAP/AD structure.

View More Comments
Stian Bentsen Sveen
Stian Bentsen Sveen April 5, 2019

Hi Andrew, thanks for the tips.

I ended up doing creating a parent group in AD for all the "project groups" and turning on nested groups in JIRA. I already setup a dedicated hierarchy for all JIRA groups in a separate OU so JIRA doesnt sync non JIRA groups into JIRA.

My LDAP filters are very basic.

I have one user directory per country (to avoid pulling in service accounts etc).

Base DN is just pointing at the domain,

Then I have additional user DN for each country that pulls in every user in each country  (points at country - users in AD), then I just point to the OU where all the JIRA groups are located for group DN.

With nested groups, does it just sync the members of the groups in the group or will it also sync the groups?

Also, If group DN points to f.ex OU JIRA in AD, if I add a group not in that OU to a group thats in that OU, will it sync the members of that "outside group"?

I dont know if this is the best way of doing it or if I should try and stick to one user directory for our entire domain and use filters instead?

Thanks,

Stian

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events