Jira Audit log shows that users removed themselves from groups, even if they don't have permission to do so
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
When reviewing the Audit log under Jira Administration > System, we see records indicating users removed themselves from groups. This action seems unusual as they do not have the necessary permissions to perform such tasks.
Here is an example of such a log entry:
Environment
Any Jira version.
Diagnosis
When navigating to Jira Administration > System > Authentication methods, we can see that Jira is configured with SSO authentication using the bundledSSO for Atlassian Data Center app. Upon further examination of this setup, we find thatJIT provisioning option is enabled:
Also, it was noticed that users from these audit log records have logged in via SSO at the time indicated by the audit log "User removed from group" record.
Cause
The issue is caused by the fact that users were logging in via SSO while JIT option is enabled. This setup naturally leads to user data, such as group memberships, being refreshed based on the information currently held by the Identity Provider (IdP). It is how JIT user provisioning is intended to function in Jira.
In essence, the information we receive from the identity provider serves as the "source of truth." Consequently, any local data stored in Jira will be overwritten by what we receive from the identity provider, including groups. Therefore, if a user belongs to an internal Jira group but is not listed as a member of that same group in the identity provider's records, they will be removed from the said group upon logging in and we will see a corresponding entry in the Audit log.
If you require SSO users to be part of a specific group while having JIT enabled, it's crucial that these groups are assigned to the user on the Identity Provider (IdP) side. For more information, please see below an excerpt from our documentation on JIT provisioning here:
Be aware that JIT provisioning overrides all user details sourced by JIT. If you use JIT provisioning with user’s groups maintained manually, all local group memberships will be modified to match what is configured in your IdP. To maintain user access to the application, make sure that users are assigned to appropriate groups in IdP.
With JIT enabled, the following changes happen during the authentication of an existing user:
Rename the user if the username was changed.
Change the user email if it was changed.
Change the user display name if it was changed.
Remove the user from all groups that the user belongs to if those groups weren’t returned by the IdP in the authentication response.
Add the user to all groups the user currently doesn’t belong to if those groups were returned by the IdP in the authentication response.
The user data is always modified until the user is in the state that was returned from the identity provider, regardless of how the changes were made: manually or if the user was updated on the IdP’s side.
Was this helpful?