Nested groups with multiple directories

Andrew Thorne April 26, 2018

Hello,

In our JIRA system we have 3 directories for user authentication: the JIRA internal directory (for non-real users), and 2 active directories for real users depending on if the user is a private or public sector worker.

One of the administrators has come up with the idea that we can nest groups, and with the correct hierarchical structure, would only need to put users in one group according to their roll.

However, our tests have returned confusing results:

  • I started off by creating Group 1, Group 2, and Group 3. Then I made Group 2 a subgroup of Group 1, and Group 3 a subgroup if Group 2.
  • It would appear the groups are created in the directory at the top of the directory list. (Can anybody confirm this?)
  • If I added a user who was defined in the top directory to Group 2, their groups were Group 1 and Group 2.
  • If I added a user who was defined in the top directory to Group 3, their groups were Group 1, Group 2, and Group 3.
  • However, if I made a user who was defined in the other directories to Group 2 or Group 3, they only got that group.

Is this normal behaviour? Have I missed off a setting so that it does not matter in which directory the users are defined?

Thanks for any explanation you are able to give.

1 answer

0 votes
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 1, 2018

Users in Jira are only able to have group memberships for groups that originate from the same user directory as the user is logged in to.   Additionally, if the same user exists in multiple user directories in Jira, that username can only login to the top ordered directory.   So if your users are logged into Jira via the 2nd LDAP connector, they can't belong to groups that come from the 1st LDAP.  This is true across all kinds of user directories in Jira, the only exception to this is the use of read-only with local groups, which in turn allows LDAP users to be belong to local groups in the the Jira internal directory.

What tends to complicate this kind of scenario is that most times I see 2 LDAP connections in Jira, they are often connectors to the same LDAP server address with only slightly modified settings.   Are you using this kind of setup?  Or are these 2 LDAP servers really separate LDAP machines.   I ask because Jira is treating each user directory as if it was an independent collection of user and group data.  So while you might have the same group name in both LDAP #1 and LDAP #2, say 'Group 1', these groups are not always logically identical in Jira for the sake of permissions because the user directories being treated as separate entities logically.

I would be interested to learn more about the settings you have in Jira  for each user directory.  Specifically if you expand the "Advanced Settings", I'd check to see if the option for 'Enabled Nested Groups' is set for both of these.  I suspect it is enabled for LDAP #1, but not for #2 right now.

If that does not explain this behavior, then the next steps would be to take a closer look at your Group Schema Settings and Membership Schema Settings to better understand what logic Jira is using to determine which groups users belong to.

CBordino October 26, 2018

Hi,

did you find a solution for this topics?

Because I am facing the same issue with only 2 user directories setted up, both with Nested Group option enabled:

  • 1th : JIRA Internal Directory where Group 1, Group 2 Group 3 belong to
  • 2nd : AD (Read Only, with Local Groups)

If I add userLocal1 (from local dir) to Group 2: it successfully belongs to Group 1

If I add userSamAccount (from AD) to Group 2: it belongs ONLY to Group 2 but not nested one

 

Thanks

Cristian

Suggest an answer

Log in or Sign up to answer