Hi,

This is a pretty common scenario to see with Jira Service Desk (JSD).  Just to recap, you're using an Active Directory/LDAP user directory in Jira, and when users first sign into the customer portal in Jira Service Desk, the are being granted a license seat for JSD.

What I suspect is actually happening is that when the user first signs into Jira, the way your user directory is configured within Jira is actually configured to give them membership to a group name.  That is fairly common approach when you use the Delegated LDAP directory in Jira.  But there is a misconfiguration in your environment here. 

In order for users to be able to login to the JSD customer portal, the user does not need to belong to any groups at all.   Only licensed users in Jira need to have group membership to be able to login to the main Jira site.  More details on the concept for Jira Server products can be found in Licensing and application access.

By default nearly all Jira Service Desk installations will automatically create an internal group name called 'jira-servicedesk-users'.  The common misunderstanding here is that anyone using JSD needs to be in that group.  That is not true.  Only licensed JSD users (aka agents) should in that group, and being in that group grants them access to see queue, respond to customer requests, etc.   Your end users that just need to be able to raise a request should not belong to that group name or any other group name that might be setup to grant application access to JSD.

The solution here will likely need to be in regards to way the user directory is setup in Jira.  For example to remove this specific default group membership that is being granted when the user first signs into the JSD portal.   But doing that could present other problems here, such as how do you best determine which users in your organization need to be licensed Jira users here vs. unlicensed JSD customers?  Because in order for your other users to be able to login to the main login page (not the JSD customer portal) those users do need to have group memberships that align with the application access settings here.

One approach I have seen that can work here could be to actually setup two different user directories in Jira, both with perhaps the same LDAP/AD server address, BUT with different LDAP user search filters.   By filtering which users to return via LDAP, you could create a small user directory of users, say only the ones that need to be license users, and then automatically grant them a default membership to the group in question.  And then order that user directory above the other directory that would just include all the other possible users.

This way, if the user that logs into Jira for the first time is in that small group returned by the LDAP filter, they get the needed membership, but all the other users do not.  If you're not familiar with how to do this, I would recommend checking out How to write LDAP search filters.  It can be helpful in creating such queries that will likely be needed to resolve this problem.

Let me know if you have any questions about this.

Cheers,

Andy