Provision and sync users from an identity provider
Make changes in your identity provider to users and groups and sync them to your Atlassian organization.
Viewing the right content? From your organization at admin.atlassian.com, if the Users list and Groups list are under the Directory tab, view the improved user management content. |
You must be an organization admin to complete the tasks on this page.
When you set up user provisioning, you may run into the situation where your groups in your Atlassian sites have the same names as groups in your identity provider (IdP).
When you sync, we’ll warn you about duplicate group names between your IdP and your Atlassian sites. You’ll then be able to accept or reject changes to group members before you sync those groups.
Group conflicts occur when groups have the same name in your IdP as groups that already exist in your organization.
Before you sync and replace your groups, we’ll share a list with you of group names and a breakdown of the membership changes that will happen. Here’s a screenshot with a sample breakdown.
Name of the group
Product access for the group
Name of each site for the group
Number of users added or removed if you decide to overwrite the group
Can I sync default access groups?
We can’t sync groups from your identity provider when the group is a default access group on your Atlassian product site. If you want to sync the group, you can change its default access status and then sync it.
To change the default access status of the group:
Go to your organization at admin.atlassian.com.
Navigate to Sites and Products > Product access.
Under the Options column, select Don’t make this group default.
If you can’t select it, assign default access to another group, and then try again.
Learn more about default access groups
To update groups before you sync, you compare user membership between the groups in a table, review each potential user change, and then make one of the following updates to your IDP.
Remove users from your IDP group if you don’t want them to gain access to your Atlassian products.
Add users to your IDP group if you don't want them to lose access to your Atlassian products.
Rename your IDP group if you want to keep your Atlassian site group when syncing from your IDP to your organization.
When we sync groups, we overwrite your organization and site groups with your IdP groups. This means that some users could lose or gain product access and permissions granted by the group.
You have the flexibility to sync one group at a time or to sync all groups at once.
To review and sync groups:
Go to your organization at admin.atlassian.com.
Navigate to your Identity provider directory.
For Google Workspace, select Groups.
For other identity providers, go to the User provisioning section.
A warning message appears with the number of groups we could not sync.
Select Review groups
Review member changes (members to be added or removed from the group).
Select Sync group.
If you want to quickly sync all groups then select Sync all groups and follow the prompts.
You know you’re done syncing when the number of synced groups listed in User provisioning matches the number of synced groups in your IdP.
Learn more about syncing in User provisioning or Google Workspace
You must be an organization admin to complete the tasks on this page.
When you set up user provisioning, you may run into the situation where your groups in your Atlassian organization have the same names as groups in your identity provider (IdP).
When you sync, we’ll warn you about duplicate group names between your IdP and your Atlassian organization. You’ll then be able to accept or reject changes to group members before you sync those groups.
Group conflicts occur when groups have the same name in your IdP as groups that already exist in your organization.
Before you sync and replace your groups, we’ll share a list with you of group names and a breakdown of the membership changes that will happen. Here’s a screenshot with a sample breakdown.
Name of the group
Product access for the group
Name of each site for the group
Number of users added or removed if you decide to overwrite the group
Can I sync default access groups?
We can’t sync groups from your identity provider when the group is a default access group in your Atlassian organization. If you want to sync the group, you can change its default access status and then sync it.
To change the default access status of the group:
Go to admin.atlassian.com. Select your organization if you have more than one.
Select Products, then for the product you want to change, select Manage Access.
Next to the group you want to change, select > Update default group setting.
If you can’t select it, assign default access to another group first.
Select which role you’d like to make the default role for this group. Or select None to remove it as a default group.
Learn more about default access groups
To update groups before you sync, you compare user membership between the groups in a table, review each potential user change, and then make one of the following updates to your IDP.
Remove users from your IDP group if you don’t want them to gain access to your Atlassian products.
Add users to your IDP group if you don't want them to lose access to your Atlassian products.
Rename your IDP group if you want to keep your Atlassian organization group when syncing from your IDP to your organization.
When we sync groups, we overwrite your organization groups with your IDP groups. This means that some users could lose or gain product access and permissions granted by the group.
You have the flexibility to sync one group at a time or to sync all groups at once.
To review and sync groups:
Go to your organization at admin.atlassian.com.
Navigate to your Identity provider directory.
For Google Workspace, select Groups.
For other identity providers, go to the User provisioning section.
A warning message appears with the number of groups we could not sync.
Select Review groups
Review member changes (members to be added or removed from the group).
Select Sync group.
If you want to quickly sync all groups then select Sync all groups and follow the prompts.
Sync all groups syncs the first 20 groups on the list of conflicting groups. You may need to select Sync all groups multiple times to sync your complete list of conflicts in batches of 20.
You know you’re done syncing when the number of synced groups listed in User provisioning matches the number of synced groups in your IDP.
Learn more about syncing in User provisioning or Google Workspace
Was this helpful?