Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Groups Synced from Identity Provider not Providing Access to Confluence

Elijah Sauder
Elijah Sauder February 13, 2023

Hello!

I am having an issue where the groups that are being synced from my identity server for user provisioning are not granting people access to confluence. I have to go in and manually assign the default groups that come with confluence. 

Any help to resolve this is appreciated. 

Answer
Watch
Like Be the first to like this
874 views

1 answer

0 votes
Trudy Claspill
Trudy Claspill
Community Champion
February 13, 2023

Hello @Elijah Sauder 

Welcome to the Atlassian community!

The tags on your post indicate you are using a Free plan. Are you really using a Free plan? If so, you are limited to 10 users. If you grant access to more than 10 users, you will have to pay for your Confluence use.

Under User Access Settings have you defined a set of approved domains for your synched users and set those so that they are automatically assigned a role in the Confluence product?

https://support.atlassian.com/user-management/docs/control-how-users-get-access-to-products/

View More Comments
Elijah Sauder
Elijah Sauder February 13, 2023

Hello, we are currently using the free plan that is correct. We only have 5 people using it at the moment for testing it out, so we shouldn't be hitting the 10 user max.

I do have the approved domains setup. Though idk if that would affect SCIM provisioning.

Like
Trudy Claspill
Trudy Claspill
Community Champion
February 14, 2023

Do the approved domains cover the email domains of the users that would be provisioned?

If so, then you can add to the approved domain a configuration to automatically grant access to products for users in that domain. See step 4 here:

https://support.atlassian.com/user-management/docs/control-how-users-get-access-to-products/#Approved-domains

That should give them access to the products automatically after they have been provisioned, I believe.

Like
Elijah Sauder
Elijah Sauder February 14, 2023

The approved domains currently do cover the email domains of the users.

Like
Trudy Claspill
Trudy Claspill
Community Champion
February 14, 2023

Then you can add to the approved domain a configuration to automatically grant access to products for users in that domain. See step 4 here:

https://support.atlassian.com/user-management/docs/control-how-users-get-access-to-products/#Approved-domains

That should give them access to the products automatically after they have been provisioned, I believe.

Like
Elijah Sauder
Elijah Sauder February 27, 2023

It looks like it is set to the user role already. I also tested after making sure that it was set to user and people cannot access it still unless I manually add them to the built in role.

Like
Kieren _SmolSoftware_
Kieren _SmolSoftware_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 6, 2023

@Elijah Sauder 

The approved domain feature only assigns product access when the user tries to access the product for the first time. @Trudy Claspill is right in that it would work for you in this scenario, but the down side is anyone with that email domain can get access to your products, not just your sync'd users.

An alternative to get those users access to the default product groups immediately is convoluted...

1. Create a new default group for the groups you want to "takeover". e.g. create a group in admin.atlassian.com called new-confluence-users-xyz-default.
2. Make new-confluence-users-xyz-default the default group for the Confluence User role.
3. Remove confluence-users-xyz as the default group (but keep the product access on that group).
4. Once confluence-users-xyz is no longer a default group, you can create that group name in your IDP and and sync that group into admin.atlassian.com.

There is one issue with this solution; any users not added via the IDP will not be able to get access to confluence-users-xyz, they'll go into new-confluence-users-xyz-default. This means extra work for your admins to ensure those non-IDP users can access the right products/spaces/projects.

2. A simpler alternative is, I'm building an automation app that could help with this, essentially we're solving ACCESS-604. It's about to be released in a free closed beta (around mid January 2024). If you're interested, contact us via our website smolsoftware.com to be a part of the beta. I'll also update this post when the app is launched publicly in February 2024. 

-Kieren
Co-Founder @ Smol Software | Ex-Atlassian

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
FREE
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security