How to prevent JIRA Administrators from modifying certain groups in Crowd Directory
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Consider the following scenario:
In Crowd, all the users and groups are located within a single directory. As a result, when JIRA is connected to this directory with read-write permission enabled, JIRA Administrators will be able to add users to any groups.
In some cases, the same directory could be shared among different applications, and JIRA Administrators should be not allowed to be able to make any changes to certain groups.
Solution
Due to the limitation with Crowd directory, it is not possible to restrict it to read-only on per group basis. The workaround is to setup multiple directories with different levels of permission, and separate the groups into the directories.
In Crowd:
Create a directory with read-only permission
Create a directory with read-write permission
Create an application and associate it with the read-only directory
Create another application and associate it with the read-write directory
Groups that need to be restricted should be located in the read-only directory only
Other groups will be located in the read-write directory
In JIRA:
Connect to both the directories
JIRA Administrators will not be able to modify any groups in the read-only directory even if they change the crowd permission in JIRA to read-write
Was this helpful?