Why you need to automate user management

Automating user management is one of the most important areas of improvement in Atlassian apps in general and in Jira. As long as administrators have to manually manage the entire access management lifecycle, your company will suffer from a series of chronic diseases:

• Poor onboarding experiences, as new employees wait for their Jira account while the IT team make time on their schedule.
• Constant distractions on the IT staff side, as provisioning users into Jira manually disturbs more important work.
• Poor reaction to changes. New devices, relocations, promotions, new projects or revamped job descriptions happen every week. Without an automated process in Jira to align permissions, group memberships and application access, the administration burden of these changes can sink your productivity.
• Latent access from former employees is a major security risk. How much confidential information do you store in your issues?
• Temporary access to special users, such as contractors and partners, can keep your team jumping through the loops.

While small companies can still tackle these problems with hard work, scale makes manual work absolutely intolerable: no one will have visibility over every small change.

What can you do with automated user management in Jira

Once you automate user management in Jira, you will be able to forget about your internal user directory and run everything from your central directory or identity provider. As you make changes there, they will automatically propagate to Jira and any other Atlassian applications. This will allow your IT team to:

• Create new employee accounts (user provisioning) before their first login.
• Disable, deactivate or delete existing users (user deprovisioning) automatically as they leave the company
• Manage group memberships on the IdP to make sure every user has the right permissions and can see the right projects.
• Update user profiles (also called user attributes) periodically or upon login.

At this point you may be wondering… So what do I need to start automating user management in Jira?

The only option to automate the entire user lifecycle is to integrate Jira with your Identity Provider via REST API.

However, the specifics of implementing this type of automation will depend largely on your Jira deployment and where your corporate user directory lives.

How to automate user management in Jira Cloud

If you’re a customer of Jira Cloud, automating user management through the API with a cloud Identity Provider should be quite easy For example, if you’re using Okta to manage your user identities, you won’t need any additional solutions: simply follow this tutorial.

How to automate user management in Jira Server and Data Center

However, things will look a bit different for Server and Data Center, where there’s no possibility to directly integrate Identity Providers with Jira for provisioning users.

You have two main options: writing your own scripts or using a third party app from the Atlassian Marketplace, like User and Groups Sync by resolution.

Option 1: Write your own scripts

What it is: Write your own scripts to modify the Jira user directory whenever a change is triggered from your Identity provider.

Pros: You’ll be in control of exactly how Jira users are synchronized from the Identity Providers’ API.

Cons:

• Writing scripts for every possible situation can be cumbersome, and you will need talent and capacity to tackle this project
• Maintaining scripts over time will be resource intensive
• Since many of the Jira methods are experimental, changes in the API will certainly occur, resulting in lost connectivity while the scripts are fixed.

Option 2: User and Group Sync

What it is: User and Group Sync for Jira will make changes in your Identity Provider and synchronize them in Jira with one click.

Pros:

• Covers the entire lifecycle management: user provisioning and deprovisioning as well as role-based access control (RBAC) through group memberships.
• If your Identity Provider is not supported out of the box, a custom connector can be easily created by adapting our existing code.
• Any additional information that you need to have in Jira about your users can easily be synchronized through intuitive attribute mapping
• Compatible with using SAML SSO for authentication and included for free in resolution’s SAML Single Sign-On for Jira.

Cons:

• Because it was not designed for authentication purposes, User Sync cannot be used currently to create passwords for newly provisioned users.

Read the product documentation for more details.

Conclusion

Automating user lifecycle management is not an option. It’s a must in any modern enterprise that takes security and usability seriously – particularly at a time when remote work and multi-device usage are putting pressure on the traditional notion of central, secure networks and applications.

If your current process is to manage the digital identities of your employees, partners and consultants from a central platform like Okta, Onelogin or Azure AD but you’re having issues throwing Atlassian Server or Data Center applications under the hood, you should try the API integration with User and Group Sync.