Community
Products
Atlassian Guard
Questions
Is it possible to apply specific policies to Jira product access by users from the same domain?

Is it possible to apply specific policies to Jira product access by users from the same domain?

Objective:

Users in policy 1 may be either a Jira user or a JSM customer
Users in policy 2 may only be a JSM customer

All users in the domain are managed. The difference between the policies is that 1 requires SSO while 2 does not.

1 answer

0 votes

Hello Chris!

Functionality dedicated to handle that is Authentication policies (in security). There you can assign people to policies and achieve your goal, but I expect that your problem is a little bit more complex and you want to do it automatically :). At the moment, unfortunately, you are not in a position to do this through groups, so there is no quick and easy method - you can have a problem with every new user.

If you really need to do it, then you can use RestAPI and trigger this from some place (for example from Entra ID for every new user).
https://developer.atlassian.com/cloud/admin/control/rest/api-group-authentication-policies/#api-admin-control-v1-orgs-orgid-auth-policy-policyid-add-users-post

Here is the useful link: https://jira.atlassian.com/browse/ACCESS-1905 (and a lot of linked work items).

I hope it is useful.

Regards

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

thanks @Wojciech Miecznikowski I am able to assign users to the policies ok. And at Products \ User access settings \ Approved domains I can allow users to request access i.e. a licence with admin approval, and provide access as a JSM customer. That's all ok.

The members of mydomain.com will be assigned one of two policies:

Policy 1: Requires SSO
Policy 2: Does not require SSO

I want to make sure that "users" have policy 1 assigned, while only customer access is provided to members of policy 2.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello Chris,

Yes, and just to paraphrase your problem: you can only have one default policy for each directory. In this situation, you have one directory and no way to define rules (connection with products) at the specific policy level.

In this case only one known for me approach exist and it is to do it automatically through RestAPI (https://developer.atlassian.com/cloud/admin/control/rest/api-group-authentication-policies/#api-admin-control-v1-orgs-orgid-auth-policy-policyid-add-users-post). You need to define your rules in your "solution" and manage it by external script. It could be ScriptRunner, Automation Rules, python script or anything else, flow would be:
- Download users with policy by: https://developer.atlassian.com/cloud/admin/control/rest/api-group-authentication-policies/#api-admin-control-v1-orgs-orgid-users-auth-policies-bulk-fetch-post
- Download users products (roles)
https://developer.atlassian.com/cloud/admin/organization/rest/api-group-users/#api-v1-orgs-orgid-users-get
- Compare results (people with access to JSW, but without right policy)
- Then change user policy with:
https://developer.atlassian.com/cloud/admin/control/rest/api-group-authentication-policies/#api-admin-control-v1-orgs-orgid-auth-policy-policyid-add-users-post

If you are not experienced with any code language or RestAPI it could be unfortunately problematic, but I think that it is only way.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

Is it possible to apply specific policies to Jira product access by users from the same domain?

1 answer

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events