• Documentation
Products
Documentation
Resources
Atlassian Support
/
Provisioning users Resources
/
Provision and sync users from an identity provider

Resolve group conflicts when syncing users

Which user management experience do you have?

To check, go to your organization at admin.atlassian.com and select Directory. If the Users and Groups lists are found here, then you are using the centralized user management. Learn more about the centralized user management

Original

Centralized

As a site administrator or organization admin, Users is found under Product site.

Original user management png

As an organization admin, Users is found under Directory tab.

Centralized user management png

 

Jump to the

Original user management content

You must be an organization admin to complete the tasks on this page.

When you set up user provisioning, you may run into the situation where your groups in your Atlassian sites have the same names as groups in your identity provider (IdP).

When you sync, we’ll warn you about duplicate group names between your IdP and your Atlassian sites. You’ll then be able to accept or reject changes to group members before you sync those groups.

Group conflicts occur when groups have the same name in your IdP as groups that already exist in your organization.

Review groups before you sync

Before you sync and replace your groups, we’ll share a list with you of group names and a breakdown of the membership changes that will happen. Here’s a screenshot with a sample breakdown.

A list of group names, their product access, and the changes that will happen with sync

  1. Name of the group

  2. Product access for the group

  3. Name of each site for the group

  4. Number of users added or removed if you decide to overwrite the group

Can I sync default access groups?

We can’t sync groups from your identity provider when the group is a default access group on your Atlassian product site. If you want to sync the group, you can change its default access status and then sync it.

To change the default access status of the group:

  1. Go to your organization at admin.atlassian.com.

  2. Navigate to Sites and Products > Product access.

  3. Under the Options column, select Don’t make this group default.

  4. If you can’t select it, assign default access to another group, and then try again.

Learn more about default access groups

Update groups before you sync

To update groups before you sync, you compare user membership between the groups in a table, review each potential user change, and then make one of the following updates to your IDP. 

  • Remove users from your IDP group if you don’t want them to gain access to your Atlassian products.

  • Add users to your IDP group if you don't want them to lose access to your Atlassian products.

  • Rename your IDP group if you want to keep your Atlassian site group when syncing from your IDP to your organization.

Sync groups after you review

When we sync groups, we overwrite your organization and site groups with your IdP groups. This means that some users could lose or gain product access and permissions granted by the group.

You have the flexibility to sync one group at a time or to sync all groups at once.

To review and sync groups:

  1. Go to your organization at admin.atlassian.com.

  2. Navigate to your Identity provider directory.

    1. For Google Workspace, select Groups.

    2. For other identity providers, go to the User provisioning section.

  3. A warning message appears with the number of groups we could not sync.

  4. Select Review groups

  5. Review member changes (members to be added or removed from the group).

  6. Select Sync group.

If you want to quickly sync all groups then select Sync all groups and follow the prompts.

Group sync is complete

You know you’re done syncing when the number of synced groups listed in User provisioning matches the number of synced groups in your IdP.

Learn more about syncing in User provisioning or Google Workspace

Centralized user management content

You must be an organization admin to complete the tasks on this page.

When you set up user provisioning, you may run into the situation where your groups in your Atlassian organization have the same names as groups in your identity provider (IdP).

When you sync, we’ll warn you about duplicate group names between your IdP and your Atlassian organization. You’ll then be able to accept or reject changes to group members before you sync those groups.

Group conflicts occur when groups have the same name in your IdP as groups that already exist in your organization.

Review groups before you sync

Before you sync and replace your groups, we’ll share a list with you of group names and a breakdown of the membership changes that will happen. Here’s a screenshot with a sample breakdown.

A list of group names, their product access, and the changes that will happen with sync

  1. Name of the group

  2. Product access for the group

  3. Name of each site for the group

  4. Number of users added or removed if you decide to overwrite the group

Can I sync default access groups?

We can’t sync groups from your identity provider when the group is a default access group in your Atlassian organization. If you want to sync the group, you can change its default access status and then sync it.

To change the default access status of the group:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Products, then for the product you want to change, select Manage Access.

  3. Next to the group you want to change, select > Update default group setting.
    If you can’t select it, assign default access to another group first.

  4. Select which role you’d like to make the default role for this group. Or select None to remove it as a default group.

Learn more about default access groups

Update groups before you sync

To update groups before you sync, you compare user membership between the groups in a table, review each potential user change, and then make one of the following updates to your IDP. 

  • Remove users from your IDP group if you don’t want them to gain access to your Atlassian products.

  • Add users to your IDP group if you don't want them to lose access to your Atlassian products.

  • Rename your IDP group if you want to keep your Atlassian organization group when syncing from your IDP to your organization.

Sync groups after you review

When we sync groups, we overwrite your organization groups with your IDP groups. This means that some users could lose or gain product access and permissions granted by the group.

You have the flexibility to sync one group at a time or to sync all groups at once.

To review and sync groups:

  1. Go to your organization at admin.atlassian.com.

  2. Navigate to your Identity provider directory.

    1. For Google Workspace, select Groups.

    2. For other identity providers, go to the User provisioning section.

  3. A warning message appears with the number of groups we could not sync.

  4. Select Review groups

  5. Review member changes (members to be added or removed from the group).

  6. Select Sync group.

If you want to quickly sync all groups then select Sync all groups and follow the prompts.

Sync all groups syncs the first 20 groups on the list of conflicting groups. You may need to select Sync all groups multiple times to sync your complete list of conflicts in batches of 20.

Group sync is complete

You know you’re done syncing when the number of synced groups listed in User provisioning matches the number of synced groups in your IDP.

Learn more about syncing in User provisioning or Google Workspace

 

Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageOriginal user management contentReview groups before you syncUpdate groups before you syncSync groups after you reviewGroup sync is completeCentralized user management contentReview groups before you syncUpdate groups before you syncSync groups after you reviewGroup sync is complete
CommunityQuestions, discussions, and articles