Managing nested groups
This page describes how Jira handles nested groups that exist in one or more of your directory servers. Note that if you're using nested groups, you can't use an LDAP directory for delegated authentication .
Enabling Nested Groups
You can enable or disable support for nested groups on each directory individually. Select User Directories from the Jira administration menu, edit the directory and select Enable Nested Groups. See Configuring user directories.
Notes:
- Make sure that your directory server supports nested groups before you enable nested groups for a specific directory type in Jira.
- You can nest internal groups in internal groups, or external groups in external groups. You can't nest an internal group in an external group or vice versa.
- Please read the rest of this page to understand what effect nested groups will have on authentication (login) and permissions in Jira, and what happens when you update users and groups in Jira.
On this page:
Find out how easy, scalable and effective it can be with Crowd!
See centralized user management.
Effect of Nested Groups
This section explains how nested groups affect logging in, permissions, and viewing and updating users and groups.
Login
When a user logs in, they can access the application if they belong to an authorized group or any of its sub-groups.
Permissions
The user can access a function if they belong to a group that has the necessary permissions, or if they belong to any of its sub-groups.
Viewing lists of group members
If you ask to view the members of a group, you will see all users who are members of the group and all users belonging its sub-groups, consolidated into one list. We call this a flattened list.
You can't view or edit the nested groups themselves, or see that one group is a member of another group.
Adding and updating group membership
If you add a user to a group, the user is added to the named group and not to any other groups.
If you try to remove a user from a flattened list, the following will happen:
- If the user is a member of the top group in the hierarchy of groups in the flattened list, the user is removed from the top group.
- Otherwise, you see an error message stating that the user is not a direct member of the group.
Examples
Example 1: User is member of sub-group
Imagine the following two groups exist in your directory server:
- staff
- marketing
Memberships:
- The marketing group is a member of the staff group.
- User jsmith is a member of marketing.
You will see that jsmith is a member of both marketing and staff. You will not see that the two groups are nested. If you assign permissions to the staff group, then jsmith will get those permissions.
Example 2: Sub-groups as members of the jira-developers group
In an LDAP directory server, we have the groups engineering-group and techwriters-group. We want to grant both groups developer-level access to the JIRA. We will have a group called jira-developers that has developer-level access.
- Add a group called jira-developers.
- Add the engineering-group as a sub-group of jira-developers.
- Add the techwriters-group as a sub-group of jira-developers.
Group memberships are now:
- jira-developers — sub-groups: engineering-group, techwriters-group
- engineering-group — sub-groups: dev-a, dev-b; users: pblack
- dev-a — users: jsmith, sbrown
- dev-b — users: jsmith, dblue
- techwriters-group — users: rgreen
When the JIRA application requests a list of users in the jira-developers group, it receives the following list:
- pblack
- jsmith
- sbrown
- dblue
- rgreen
Diagram: Sub-groups as members of the jira-developers group
Notes
- Possible impact on performance. Enabling nested groups may result in slower user searches.
Definition of nested groups in LDAP. In an LDAP directory, a nested group is a child group entry whose DN (Distinguished Name) is referenced by an attribute contained within a parent group entry. For example, a parent group Group One might have an
objectClass=group
attribute and one or moremember=DN
attributes, where the DN can be that of a user or that of a group elsewhere in the LDAP tree:member=CN=John Smith,OU=Users,OU=OrgUnitA,DC=sub,DC=domain member=CN=Group Two,OU=OrgUnitBGroups,OU=OrgUnitB,DC=sub,DC=domain
Related topics
- Configuring the internal directory
- Connecting to an LDAP directory
- Connecting to an internal directory with LDAP authentication
- Connecting to Crowd or another Jira application for user management
- Managing multiple directories
- Migrating users between user directories
- Synchronizing data from external directories