Objective:
All users in the domain are managed. The difference between the policies is that 1 requires SSO while 2 does not.
Hello Chris!
Functionality dedicated to handle that is Authentication policies (in security). There you can assign people to policies and achieve your goal, but I expect that your problem is a little bit more complex and you want to do it automatically :). At the moment, unfortunately, you are not in a position to do this through groups, so there is no quick and easy method - you can have a problem with every new user.
If you really need to do it, then you can use RestAPI and trigger this from some place (for example from Entra ID for every new user).
https://developer.atlassian.com/cloud/admin/control/rest/api-group-authentication-policies/#api-admin-control-v1-orgs-orgid-auth-policy-policyid-add-users-post
Here is the useful link: https://jira.atlassian.com/browse/ACCESS-1905 (and a lot of linked work items).
I hope it is useful.
Regards
thanks @Wojciech Miecznikowski I am able to assign users to the policies ok. And at Products \ User access settings \ Approved domains I can allow users to request access i.e. a licence with admin approval, and provide access as a JSM customer. That's all ok.
The members of mydomain.com will be assigned one of two policies:
I want to make sure that "users" have policy 1 assigned, while only customer access is provided to members of policy 2.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Chris,
Yes, and just to paraphrase your problem: you can only have one default policy for each directory. In this situation, you have one directory and no way to define rules (connection with products) at the specific policy level.
In this case only one known for me approach exist and it is to do it automatically through RestAPI (https://developer.atlassian.com/cloud/admin/control/rest/api-group-authentication-policies/#api-admin-control-v1-orgs-orgid-auth-policy-policyid-add-users-post). You need to define your rules in your "solution" and manage it by external script. It could be ScriptRunner, Automation Rules, python script or anything else, flow would be:
- Download users with policy by: https://developer.atlassian.com/cloud/admin/control/rest/api-group-authentication-policies/#api-admin-control-v1-orgs-orgid-users-auth-policies-bulk-fetch-post
- Download users products (roles)
https://developer.atlassian.com/cloud/admin/organization/rest/api-group-users/#api-v1-orgs-orgid-users-get
- Compare results (people with access to JSW, but without right policy)
- Then change user policy with:
https://developer.atlassian.com/cloud/admin/control/rest/api-group-authentication-policies/#api-admin-control-v1-orgs-orgid-auth-policy-policyid-add-users-post
If you are not experienced with any code language or RestAPI it could be unfortunately problematic, but I think that it is only way.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.