How to prevent JIRA Administrators from modifying certain groups in Crowd Directory
Purpose
Consider the following scenario:
In Crowd, all the users and groups are located within a single directory. As a result, when JIRA is connected to this directory with read-write permission enabled, JIRA Administrators will be able to add users to any groups.
In some cases, the same directory could be shared among different applications, and JIRA Administrators should be not allowed to be able to make any changes to certain groups.
Solution
Due to the limitation with Crowd directory, it is not possible to restrict it to read-only on per group basis. The workaround is to setup multiple directories with different levels of permission, and separate the groups into the directories.
In Crowd:
- Create a directory with read-only permission
- Create a directory with read-write permission
- Create an application and associate it with the read-only directory
- Create another application and associate it with the read-write directory
- Groups that need to be restricted should be located in the read-only directory only
- Other groups will be located in the read-write directory
In JIRA:
- Connect to both the directories
- JIRA Administrators will not be able to modify any groups in the read-only directory even if they change the crowd permission in JIRA to read-write