Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Nested groups with multiple directories

Andrew Thorne
Andrew Thorne
Contributor
April 26, 2018

Hello,

In our JIRA system we have 3 directories for user authentication: the JIRA internal directory (for non-real users), and 2 active directories for real users depending on if the user is a private or public sector worker.

One of the administrators has come up with the idea that we can nest groups, and with the correct hierarchical structure, would only need to put users in one group according to their roll.

However, our tests have returned confusing results:

  • I started off by creating Group 1, Group 2, and Group 3. Then I made Group 2 a subgroup of Group 1, and Group 3 a subgroup if Group 2.
  • It would appear the groups are created in the directory at the top of the directory list. (Can anybody confirm this?)
  • If I added a user who was defined in the top directory to Group 2, their groups were Group 1 and Group 2.
  • If I added a user who was defined in the top directory to Group 3, their groups were Group 1, Group 2, and Group 3.
  • However, if I made a user who was defined in the other directories to Group 2 or Group 3, they only got that group.

Is this normal behaviour? Have I missed off a setting so that it does not matter in which directory the users are defined?

Thanks for any explanation you are able to give.

Answer
Watch
Like Be the first to like this
645 views

1 answer

0 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 1, 2018

Users in Jira are only able to have group memberships for groups that originate from the same user directory as the user is logged in to.   Additionally, if the same user exists in multiple user directories in Jira, that username can only login to the top ordered directory.   So if your users are logged into Jira via the 2nd LDAP connector, they can't belong to groups that come from the 1st LDAP.  This is true across all kinds of user directories in Jira, the only exception to this is the use of read-only with local groups, which in turn allows LDAP users to be belong to local groups in the the Jira internal directory.

What tends to complicate this kind of scenario is that most times I see 2 LDAP connections in Jira, they are often connectors to the same LDAP server address with only slightly modified settings.   Are you using this kind of setup?  Or are these 2 LDAP servers really separate LDAP machines.   I ask because Jira is treating each user directory as if it was an independent collection of user and group data.  So while you might have the same group name in both LDAP #1 and LDAP #2, say 'Group 1', these groups are not always logically identical in Jira for the sake of permissions because the user directories being treated as separate entities logically.

I would be interested to learn more about the settings you have in Jira  for each user directory.  Specifically if you expand the "Advanced Settings", I'd check to see if the option for 'Enabled Nested Groups' is set for both of these.  I suspect it is enabled for LDAP #1, but not for #2 right now.

If that does not explain this behavior, then the next steps would be to take a closer look at your Group Schema Settings and Membership Schema Settings to better understand what logic Jira is using to determine which groups users belong to.

View More Comments
CBordino
CBordino October 26, 2018

Hi,

did you find a solution for this topics?

Because I am facing the same issue with only 2 user directories setted up, both with Nested Group option enabled:

  • 1th : JIRA Internal Directory where Group 1, Group 2 Group 3 belong to
  • 2nd : AD (Read Only, with Local Groups)

If I add userLocal1 (from local dir) to Group 2: it successfully belongs to Group 1

If I add userSamAccount (from AD) to Group 2: it belongs ONLY to Group 2 but not nested one

 

Thanks

Cristian

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
atlassian, team '25 europe, atlassian event, barcelona 2025, jira, confluence, atlassian intelligence, rovo, ai-powered collaboration, developer tools, agile teams, digital transformation, teamwork solutions, atlassian conference, product announcements

🌆 Team '25 Europe registration is now open!

Join the largest European gathering of the Atlassian Community and reimagine what’s possible when great teams and transformative technology come together. Plus, grab your Super Fan ticket now and save over €1,000 on your pass before prices rise on 3 June.

Register now
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Champions
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.