Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Is it possible for me to switch the default access groups to synchronized groups?

john579taylor_gmail_com
john579taylor_gmail_com
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
May 8, 2024

Ever since we transitioned to Single Sign-On (SSO), new users are no longer automatically enrolled in our "jira-users" and "confluence-users" groups. Instead, they are included in groups synchronized from our Identity Provider (IDP). While we've replicated global permissions, Jira permission schemes, and space permissions, and integrated these groups for product access, we've encountered a hurdle: the inability to switch default access groups from the product permissions admin page. The option is absent, and the tooltip indicates: "this is a read only group and cannot be set as default." This raises two questions:

  1. Can we modify default access groups to a synchronized group, and if so, how?

  2. Considering that permissions and access are synchronized with default access groups, what impact does changing the default access group have, especially considering new users aren't automatically assigned to the group by our IDP?

Answer
Watch
Like Be the first to like this
48 views

1 answer

0 votes
Kieren
Kieren
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 8, 2024

Hi @john579taylor_gmail_com 

I've worked in this area for a long time, so I can give you some unique insights into this problem.

1. No, you cannot make a synchronised group be the default access group. As you've probably discovered already, you can grant product access to a synchronised group, you just can't make that synchronised group a default one. This is because synchronised groups are read-only, since they're sync'd from your IdP. And all the 'product access' features within admin.atlassian.com rely on adding users to a default group that grants product access, which it can't do if the group is read only.

2. The impact of changing the default access group, is none of the Jira or Confluence permissions will change automatically. Out of the box, a new Jira or Confluence product will rely on the default groups for all their security and permissions setup. When you want to 'swap out' the default group, you need to do it in a number of locations, or you risk your product access and project/space permissions being out of sync... It's not very helpful to be able to grant a user product access, if that doesn't also grant them some access to projects or spaces...

My startup, smolsoftware.com, has been working on an automation app to solve this problem, as there's no movement from Atlassian to do it. It will sync groups within admin.atlassian.com, allowing you to keep your IdP controlled groups in sync with the Atlassian default groups.
We're a week or so away from launching on the Atlassian Marketplace, but you're welcome to try out our beta in the mean time if you like. Just email me on hello at smolsoftware.com.

Hope that helps,

-Kieren
Co-founder @ Smol Software | Ex-Atlassian

Reply

Suggest an answer

Log in or Sign up to answer
Identity Manager
Atlassian Access
TAGS
AUG Leaders

Atlassian Community Events

    See all events