User provisioning

Still need help?

The Atlassian Community is here for you.

Ask the community

User provisioning with Atlassian access

User provisioning is available when you subscribe to Atlassian Access.

Atlassian Access enables company-wide visibility, security, and control across all your Atlassian Cloud products. Now there’s one place to manage your users and enforce security policies so your business can scale with confidence.

Read more about how to start with Atlassian Access.

About user provisioning

We support user provisioning using the System for Cross-domain Identity Management (SCIM), and this feature uses the SCIM 2.0 version of the protocol.

User provisioning integrates an external user directory with your Atlassian Cloud products. This integration allows you to automatically update the users and groups in your Atlassian organization when you make updates in your identity provider (IdP). For example, with user provisioning, you can create, link, and deactivate managed Atlassian user accounts from your IdP.

You can only sync up to 5,000 users per external directory because some Atlassian products have an upper limit for total supported users. If your external directory has more than 5,000 users, you can still integrate your identity provider, but we'll stop syncing new users after 5,000.

After you connect your IdP to your organization, your users and groups sync to your organization and sites, making them available for granting product access. This diagram illustrates how users and groups sync once you set up user provisioning.

The next few sections break down how the synchronization works:

1. Users and groups sync from your IdP to your organization

When you configure your user provisioning setup, you create a directory for your provisioned user. After setup is complete, all users and groups in your IdP with a verified domain sync to your organization's directory, as shown in the diagram.

After you connect your IdP to your Atlassian organization, synced directory groups appear in your Atlassian organization and you're unable to make changes to a user's account from the organization.

If your Atlassian organization already has existing users:

  • And the IdP has a user with the same email address as a user in your organization, we'll create a link between both user accounts. Going forward, you can only make changes to the user's account from your IdP.
  • And the IdP doesn't have a user with the same email address as a user in your organzation, the user's access remains the same and you can still manage that user from your Atlassian organization.

2. Your organization’s directory syncs to all associated sites

Any sites you've added to your organization now have access to your provisioned users and groups, as shown in the diagram. Synced directory groups will appear along the default and native groups in your sites. 

3. Groups get assigned to products

You can automatically grant users default product access by assigning groups to your site's products, as shown in the diagram.

Supported identity providers

Your user provisioning setup depends on the identity provider you use. Supported identity providers include:

In the future, we may support more identity providers based on customer demand.

User provisioning features

Once you connect your identity provider to your Atlassian organization, you manage all user attributes and group memberships from your identity provider. If you want to manage users from your Atlassian organization, disable the connection with your identity provider.

Unsupported features

User provisioning doesn't support the following features related to groups:

  • Renaming groups after they've synced to your Atlassian organization. Instead, you'll need to create a new group with the desired name, update its membership, and delete the old group.
  • Pushing a group from your IdP that has the same name as a group in your organization. Otherwise, you'll get an error when you try to sync.

Supported user account operations

When you perform these user management operations from your identity provider, your updates will sync with your Atlassian Cloud organization.

We only sync user accounts from your identity provider to your Atlassian organization when they have email addresses from verified domains. We won't create, link, or update user accounts in Atlassian Cloud with email addresses outside of your verified domains (e.g. gmail.com or yahoo.com).

Operations Notes

Create a new user account

A user account only gets created when it has an email address with a verified domain.

Link an existing user account

If a managed Atlassian account already exists on the Atlassian platform, we'll automatically link the user in your IdP to the user in your Atlassian organization.

Update a user's account details

You can update these user attributes from you IdP:

  • Display name
  • Email address
  • Organization
  • Job title
  • Timezone
  • Department
  • Preferred language

More about Display names

A user's first and last names combine to create the Display name. If display name is provided, the display name value will overwrite the first and last name combination.

Activate a user account

You can activate a user's Atlassian account from the IdP.

Deactivate a user account

You can deactivate a user's Atlassian account from the IdP or mark the user as inactive in the Atlassian directory.

Delete a user account

To delete a user's Atlassian account, delete the user from the Atlassian directory.

Supported group operations

Use groups to manage admin permissions and product access (new licenses) from your identity provider and these updates will sync with your Atlassian organization.

Groups created manually and by default (e.g. confluence-users, site-admins) in your Atlassian organization can't be managed via SCIM integration. You can only manage groups synced from your identity provider directory via SCIM.

Operations Notes

Create a group

The group gets created as a read-only group in the organization's directory. You can only edit groups from your IdP. Give the new group a name that doesn't already exist your organization.

Delete a group

Delete a group from your IdP to remove the group from your organization's directory.

Push an existing group

If you try to push a group from your IdP that has the same name as a group in your organization, you'll get an error.

Update group membership

You can update groups from your IdP to configure product access, admin privileges, or application-specific settings, such as Confluence space permissions.

Troubleshooting

When troubleshooting issues with syncing users and groups, check the Audit log on the User provisioning page of your Atlassian organization.

Problem Troubleshooting tips Recorded in Audit log

A group has successfully synced, but the group is empty and doesn't include any synced users.

When pushing a group, make sure that the synchronized group does not have the same name as a default group (e.g. site-admins) or a manually created group.

Yes

A group synced successfully, but you don't see it in the site admin area and can't find it on the Product access page.

Make sure you added the site to your organization. To add the site, use the Add a site option from your Atlassian Cloud organization.

No

A user seems to be successfully synced, but the user account doesn't appear on the Managed accounts page.

Check that the user's email address part of the verified domain. If the user's account doesn't have an email address with a verified domain, you can either:

  • Verify the domain, after which the users will sync successfully. 
  • Update the email address in the external directory to match the verified domain.
  • Invite the user manually.
Yes
Last modified on Jan 11, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.