Pros and Cons of creating groups in Jira, vs. AD, then pulling them into Jira

Angie Elliott January 31, 2020

Hello, we are at the beginning of Jira implementation, and I wanted to know:

1. What are the pros and cons of creating groups in AD, then pulling them into Jira?

2. What are the pros and cons of creating them in Jira directly? And can you link them to AD at a later point?

Thank you!

1 answer

1 accepted

0 votes
Answer accepted
Andrew Laden
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 31, 2020

Starting with your 2nd question. No you cant link/merge them later. So choose wisely.

Benefits of local user/group management

  1. Your Jira is self contained. No dependency on AD
  2. Your Jira administrators (assuming they are not also AD Admins) can manage it themselves.

Benefits of AD based

  1. Single source of truth. I like being able to go to 1 place to validate membership/permissions. My audit dept likes it also.
  2. Nested groups. Very big help. Cant do that in internal directory
  3. Leverage your existing AD organization. For example, you want to give the Marketing Dept access to a project. And you already have a "marketing" AD group. You can leverage that existing group instead of making a new one. And when marketing onboards a new user, and adds them to that group, boom, they get jira access. 

I do the following.

Create an AD group for each project/role combination. For example if I have a project Foo, with roles Administrator and participant, I create 2 AD groups. "jira-foo-participants" and "jira-foo-administrators" then I can add the "marketing" AD group (as a group) to jira-foo-participants and the head of marketing to jira-foo-administrators.

then I just assign the groups to the role in the project.

I also create a "jira-software-licensed" AD group, and add all the other Jira AD groups to that one. I then in jira use that group for licensing. That way I know anyone who can access a project automatically gets a licenses.

(well actually I used to do that. Now we run both Service Desk and Software, and I want to make sure not to give both licenses to a user unless they really need it, So i do something different now. But if you only have 1 license time, the above works great.

As you can See, I am a big fan of AD based

Angie Elliott February 4, 2020

Thank you very much for that answer! Big help!

Like Sofia Quintero likes this
Manikanth Reddy August 3, 2021

Hi @Andrew Laden 

What you are suggesting here is that, if a group created in AD it will automatically get created in Jira too?

Currently we are trying to see sync happen between a AD group and Jira group. 
And also trying the same method you are following, to add a group called jira-user group in AD and see that any user added into this group will automatically gets jira license(as on Jira, jira-user group is placed under Application access).

And we are also looking at creating similar group for our service-desk license group.

So, can you please elaborate on the part "I also create a "jira-software-licensed" AD group, and add all the other Jira AD groups to that one. I then in jira use that group for licensing." does it means is it a automatic process where adding group in AD gets added to Jira(if this is not automatically happening do we need to make any changes in our AD?)

Thanks in advance

Manikanth Reddy

Suggest an answer

Log in or Sign up to answer