Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Can a User Group be configured to identify / add members from an Active Directory?

Dan Lynch
Dan Lynch February 11, 2022

My org's Confluence (and Jira) instances are integrated with its Active Directory, i.e., a User with an e-mail address in the AD can be added to user groups in Confluence / Jira.

A Space owner has requested that a certain (and only that Page) be viewable for all users who belong to certain internal suborganizations, i.e., if Department = xxx or yyy or (etc.), then that user will be able to view the Page. This would be instead of an Admin adding individuals one e-mail address at a time. 

Is such an integration even possible? More basically, is it even possible to configure user access in any way other than one user at time?

Answer
Watch
Like Be the first to like this
435 views

1 answer

0 votes
Radek Dostál
Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 11, 2022

You mention Space and Page. Firstly just to establish - you cannot make a page visible to "broader audience" if you do not make the Space available to that audience to begin with. Each page you try to visit will first verify if you can access the Space, if so, then it will look whether the page has any restriction, and only then will it decide to allow you to access the page.

(So every other page in that Space would have to be restricted, created as restricted, and kept as restricted. And each restriction, needs to be done for users or groups. And that's not manageable.)

 

That aside, you could sync group membership from AD, but the 'department' is not a good prospect. It's a bit complex topic that I'm not an expert in, but I've been around a few AD setups. This will obviously be different for individual AD types and might differ a bit even with the same AD type, but in principle - you could belong to multiple groups, and the AD may or may not contain these groups you belong to (because again, a lot of variables here), but you would theoretically only belong to a single department.

I believe - and this is where you should take me with a grain of salt because we've never done this - you could sync the department ad attribute as a group, but you would have a hell of a time to use both department and group later on, if that could even be done. Again, that's just my impression, I haven't done this nor have I tried to do this, this is just my inner common sense saying, department != group.

View More Comments
Radek Dostál
Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 11, 2022

To give you some perspective I'm working from - we have a data center which syncs user groups based on AD groups. So a user can belong to 5,10,20 groups depending on whatever company groups they were added to (it's a big company so as you imagine it's a lot of unused groups in terms of Confluence). But in any case, a guy from one department can be working with a lot of other departments/groups. If he needs access to Spaces owned by several other departments, then he needs to be added to those groups. Once he's added to those groups, he can access their Spaces. This would never be possible if we only synced departments as groups.

Like
Dan Lynch
Dan Lynch February 14, 2022

Thank you, Radek. I agree, the premise is extremely Rube-Goldberg, but I must be able to report that I asked the question. The goal makes sense: "everybody in Office X should be able to see this page." Sounds reasonable, but in the end we'll need names, not affiliations. 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.