User management best practice

Graham Rivers-Brown June 11, 2013

In our current environment we have the following systems using internal user management:

  • JIRA + Greenhopper + Bonfire
  • JIRA second instance
  • Confluence + Team Calendars

We have just purchased a license for Stash and as part of this I'm looking at a better way to manage and maintain users in the system. The key requirement is to leverage our LDAP system for authentication. Groups etc would not be maintained in LDAP.

What is the best practice for this? I was looking at the Atlassian Crowd product to sit between JIRA, Confluence and Stash and LDAP but am unsure if there is any benefit from doing this or if I'm best of migrating everything to talk to LDAP directly.

One item of note, not everyone has an account on all systems. Some have JIRA only, some have confluence only and only a small number of people will need a Stash account.

I'm also interested in the migration process and how best to achive this, from my research it seems JIRA can do this out of the box, Confluence requires some manual DB updates.

2 answers

1 accepted

4 votes
Answer accepted
Colin Goudie
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 11, 2013

I would recommend Crowd if you want to try and simplify the process. You also get SSO then between all these instances.

With Crowd 2.6 you can have an AD/LDAP connected directory whilst still maintaining groups in Crowd. You can control which groups have access to which applications on an application by application basis.

Although it may seem like overkill adding yet another tool, for the users that do have multiple accounts in the systems (and onboarding/offboarding accounts etc..) it is nice to try do this in one place rather than potentially in each application.

I would say this is generally the recommended approach, however, individual circumstances may not warrant it.

Crowd can source it's initial set of users/groups from an application, so you could setup crowd by pulling groups from JIRA for example

Colin Goudie
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 11, 2013

Yes you can import from mutiple directories.

I just checked though, looks like Crowd does USER import, not GROUP import. So just take that into account. You'd have to recreate (or script db->db) group memberships

Graham Rivers-Brown June 11, 2013

Thanks Colin. I had a feeling Crowd would be the best solution. Can Crowd import users and groups from multiple applications? Once all the users are managed by crowd can I then migrate across to LDAP auth for those users?

1 vote
Ellen Feaheny [AppFusions]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 11, 2013

Agree with all that Colin said.

Also - once you go past JIRA and Confluence, this in my opinion is one of the exact reasons FOR Crowd. We couldn't live without it -

I think this page describes a relatively complex capability set, simply.

https://confluence.atlassian.com/display/CROWD/Concepts

I mean the overall concepts of what Crowd does is not that hard to understand. But as a SW product, user and group management between many applications AND SSO are both complex problems to solve (in all applications).

So Crowd solves a hard problem area in addition to being the centralized hub logically. It just makes a lot of sense from a network architecture perspective.

This page also is an answers winner for key questions that will come up if you move to Crowd.

https://confluence.atlassian.com/display/CROWD/Deployment+FAQ

Suggest an answer

Log in or Sign up to answer