Can AD groups be added to a Project Role

Ian Corbett August 5, 2017

I've configured Active Directory integration for Jira configured for Read Only with Local Groups which works, AD user account and AD groups are presented under User Management. The AD groups are an AD eqivalent of the 3 internal groups that are automatically created (jira-software, jira-servicedesk, jira-adminstrators). 

I've applied the AD groups to the Application Access for Jira Software and Jira Servidesk alongside the existing internal groups (jira-software, jira-servicedesk, jira-adminstrators).

I've also applied the AD groups to the 6x Global Permissions, again to match the internal groups. i.e. AD\JIRA_Admin to Jira System Adminstrators etc

I've read that using Global permissions is not the optimal approach and therefore, specifically for the Service Desk project, I want to apply the AD groups to the Project roles. However it only seems to present users and internal Jira groups and not the AD groups. Is this not supported / recommended?

Should I put the AD groups into the internal jira groups instead and use them?

e.g.

AD user -> AD group -> Internal Jira Group ->Project Role

AD user -> AD group -> Internal Jira Group -><global permission>

I assume putting AD groups into internal Jira groups is supported?

Thanks in advance,

1 answer

0 votes
Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 5, 2017

I'm confused by this question to be honest. I'm not sure exactly what the problem is.

Can you describe which method you used to connect the active directory server to jira?

When you integrate active directory with jira, the groups that are present in AD will be synced to groups in JIRA. Thus, you can use the AD groups within Global Permissions and Project Roles.

If this isn't working please show us how you configured it.

Ian Corbett August 7, 2017

Hi Steven, thanks for the reply.

I've learnt / established a couple of things since the orginal post.

Firstly (and I've read posts about this - albeit they are old), the nesting of external (AD) groups in to local directory groups is not supported / doesn't work, even though the interface appears to let you configure it as so. I understand you can nest internal into internal and external into external but beyond that no.

Secondly the interface for adding groups to a Project Role does not autocomplete when specify an AD group and only the local users and groups are shown as you type. Once I'd typed / pasted the entire AD group into the field it worked.

I've now got nesting switched off for both the local and remote directory, applied my AD control groups to 'Application Access' for Jira Software and Jira Servicedesk , applied a Jira Admin AD group  to the 6x Global Permissions, and the Service Desk AD group to the role of Service Desk Team in the Servicedesk Project and all seems to be good.

Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 7, 2017

Well, nesting should work - The structure appears flat to JIRA though. If you're a direct or indirect member of a group, you appear as being a direct member of the group in JIRA. This is obviously a simplification of how it works but it should suit most purposes.

I would like to poing out this KB article: https://confluence.atlassian.com/jirakb/user-picker-autocomplete-field-does-not-work-280068827.html

Can you validate the two items:

  • JIRA Browse Users Permission?
  • What is the size of the directory you added? You SHOULD be filtering down a directory if it's quite large, this is an extremely common mistake. (I'm talking thousands and thousands of users and groups) If your directory is huge the search may not work quickly.

Have you run a background index since adding the users? I'm not sure but that may be a possibility.

AustinW October 10, 2019

I'm having the exact same issue, AD groups are not showing up on the Project "Add users to a role" search unless I type the entire name of the security group.

I am filtering down to the OU security groups are included in, and we do not have thousands of users or security groups.

Steven F Behnke
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 11, 2019

I have this problem if I use the wrong case. If I use the proper casing, it autocompletes. Probably goes to show that groups should be normalized to lowercase or something.

AustinW October 11, 2019

@Steven F Behnke 

Interesting, you're absolutely correct. The filters are not case sensitive, but the automatic searches in input boxes are.

Suggest an answer

Log in or Sign up to answer