Manage your organization’s Atlassian accounts
Gain control over your employee's Atlassian accounts.
When a user is granted access to a cloud product, they are automatically placed into a default access group. For example, a user is invited toJira and then gets placed in the group jira-users-<site-name>. Each product has at least one default group, and it’s possible for a default group to give access to more than one product.
Depending on how your organization has set up groups in admin.atlassian.com, a user access admin may find it difficult to perform the actions associated with their role.
These are the main issues you might encounter as a user access admin managing groups.
Only organization admins have the ability to configure default groups. This means a user access admin can’t make groups default, or remove a group’s default status.
If you are a user access admin who needs to configure a default group, you’ll need to reach out to your organization admin who can do this on your behalf.
User access admins can only grant users access to products they administer. A user access admin won’t be able to grant access to a product if the product’s default group gives access to other products they don’t administer.
For example, let’s say the default group for Jira also gives access to Confluence. If you are a user access admin for Jira, you won’t be able to grant users access to Jira unless you are also a user access admin for Confluence. This is because the default group for Jira also gives access to Confluence, a product you don’t administer.
If you are a user access admin experiencing this issue, reach out to your organization admin. An organization admin can either edit the default group for that product or make you a user access admin for the additional products within the default group.
As mentioned before, a user is automatically placed into a default group when they’re granted access to a cloud product. Depending on how an organization is configured, it’s possible for a user to be placed into multiple groups that provide access to the same product.
For example, a user might be in the default group (Group 1) for Jira as well as another group (Group 2) that also gives access to Jira and Confluence. A user access admin wouldn’t be able to remove product access to Jira from this particular user, because they are also in a group that gives access to Confluence, a product the user access admin doesn’t administer.
The only way to resolve this issue as a user access admin is to remove Jira access from Group 2. Once this has been removed, the user will only have access to Jira via the default group which you are able to update. However, doing this will completely remove access for any Group 2 users without an alternate group that grants access to Jira.
Otherwise, you can reach out to your organization admin. An organization admin can either remove product access for a user themselves or make you a user access admin for the additional products within the default group.
User provisioning connects your identity provider with your Atlassian organization through System for Cross-domain Identity Management (SCIM). When you make updates in your identity provider, the users and groups in your Atlassian organization will also be automatically updated.
After an organization admin connects your identity provider to your Atlassian organization, all provisioned users are automatically added to a group.
Learn more about user provisioning
A user access admin may encounter an issue when trying to remove product access from a provisioned user if their SCIM group grants access to that product.
For example, an organization admin has connected Google Workspace to your Atlassian organization. All users within Google Workspace are placed into the same SCIM group which sits within your Atlassian organization.
You’re a user access admin for Jira and you grant the SCIM group access to Jira. You then need to remove access to Jira for one user within the SCIM group.
In order to remove product access for the user, you’ll need to be able to remove them from all groups that grant access to Jira. Because SCIM groups are read-only groups, you can’t remove the user from the SCIM group that grants access to Jira. This means you won’t be able to remove access to Jira for that user because they are part of a SCIM group.
If you are a user access admin experiencing this issue, reach out to your organization admin. An organization admin can use your identity provider to remove a user from the SCIM group. You’ll then be able to add the user to the default group for Jira.
Was this helpful?