Provision and sync users from an identity provider
Make changes in your identity provider to users and groups and sync them to your Atlassian organization.
Nested groups are subgroups of other groups. Companies use nested groups for permission inheritance or to recreate the company’s structure in an external user directory.
You’re unable to see nested groups in your Atlassian cloud organization, but you can keep the nested structure in your external directory and use the flattened one in your Atlassian organization. We’ve created a custom integration for Azure AD to let you achieve that.
Here’s an example of a nested structure in your external user directory:
Parent group: Atlassian
Nested groups: Design, Engineering, Grads
What’s essential in the nested structure is permission inheritance. Members of nested groups not only receive permissions from their direct groups but also from parent groups. For example, members in the design group nested under the Atlassian group inherit permissions from both groups.
You can add a user to a single nested group instead of adding them to each group individually. Users inherit memberships and permissions from all parent groups.
When you sync your users over SCIM (without flattening the groups):
Group memberships: Users no longer have memberships and permission inheritance from parent groups
Groups: You can see in the illustration that all groups sync to the same level. We sync all groups without preserving the nested structure.
The custom integration automatically converts nested groups into a flat structure. It retains all group memberships.
When you sync users to Atlassian cloud with the Microsoft GraphAPI integration:
Group memberships: We add users to each group individually. After we flattened the group structure, members of a nested group become members of the group groups. They inherit permissions from both groups.
Was this helpful?