Jira Cloud

The Jira Cloud integration provides specific actions to create Jira Service Management requests from workflows, and for updating any kind of Jira issue.

If you don't subscribe to Atlassian Access, the Jira integration also provides user management automation beyond what is possible using the Trelica Atlassian Cloud integration.

Background

How does Atlassian manage cloud users?

Atlassian has centralized all Atlassian Cloud user management through the Atlassian Admin portal (https://admin.atlassian.com).

The Admin portal lets you create a directory of users and assign them to groups. Because groups can be assigned to different Atlassian products you can control product access by assigning or removing users to or from groups.

This gives a flexible model, particularly if you use multiple Cloud sites (i.e. separate instances of Jira).

Commercially Atlassian offers the Admin portal for free on the basis that management is largely manual.

Automating management with Atlassian Access

If you want to automate user management you need to subscribe to Atlassian Access which supports SAML2 Single-Sign On and directory management using a SCIM API.

Atlassian Access works particularly well in combination with an IdP like Okta which has strong SAML2 and SCIM support.

If you're already using Okta or another IdP for SCIM provisioning, we recommend deprovisioning through that IdP, e.g. using the Okta Disassociate user from App Trelica workflow action.

The Trelica Atlassian Cloud integration can also connect to the Atlassian SCIM API and lets you provision, deprovision and manage group membership.

The Atlassian SCIM interface only lets you manage groups created through the SCIM API, so the first time you connect Trelica to Atlassian Access it will create groups for you with names based on the Atlassian products you are subscribed to. You should assign these groups to their respective products and then adding a user to the group will grant them access to the product.

What if you don’t pay for Atlassian Access?

Creating users

The Jira API does not officially support user account creation. However, there is a documented Jira API endpoint that will create the user in Atlassian Admin with access to selected Jira products, and email an invitation to the user.

This only works with Personal Access tokens, so you will be prompted to generate an additional access token if you enable this functionality when connecting to Jira from Trelica.

Full user management is available via the Atlassian Admin APIs but this requires an Atlassian Access subscription.

If you are using Google Workspace, we recommend using the Atlassian Cloud Google Workspace synchronization feature to automatically provision Atlassian accounts. Find out more https://support.atlassian.com/provisioning-users/docs/set-up-g-suite/

Assigning users to products

There is no Atlassian Cloud API for controlling access to normal Atlassian groups, so normally you have to manually assign users to Atlassian Cloud groups to control access to individual Atlassian products. This is presumably to encourage organizations to pay for Atlassian Access if they want to automate access management.

However the native Jira APIs used by the Jira Cloud integration allow you to add or remove users from Jira groups. Changes in Jira group membership automatically get synched back to Atlassian Cloud.

This means you can add or remove users from Jira products using Trelica workflows. 

Deactivating users

When you connect the Jira Cloud integration you have the option to also enter an Atlassian Admin API key. If you do this, then Trelica pulls usage and product data from the Atlassian Admin portal.

Even without Atlassian Access, the Atlassian Admin API key allows the deactivation of Atlassian Cloud user accounts.

If you deactivate a user they will be removed from all Atlassian Cloud products and you will not pay for the seat. Reactivating the user restores them to their original groups.

Multiple Jira Cloud sites

The Jira connector uses OAuth2 to connect to an individual Cloud Site. If you have multiple Jira properties (e.g. site1.atlassian.net and site2.atlassian.net) you will need to connect to each one separately.

As well as the ‘umbrella’ "Jira Cloud” app in Trelica, you will see your various Atlassian products and their associated users and usage data for each Cloud site. For example, Jira Service Desk and Jira Software will be shown as separate Trelica apps.

If you’re not paying for Atlassian Access we recommend not connecting the Trelica Atlassian Cloud integration but instead using the Jira integration to connect to each of your Jira Cloud sites.

If you have entered an Atlassian Admin API key you will be able to deactivate users from Trelica. If you use multiple Jira Cloud sites, bear in mind that the user will be deactivated centrally in Atlassian Admin, so will no longer be able to access any Jira Cloud site.

If you manage multiple Jira Cloud sites, but want to remove access from a single Cloud site, then you should remove the user from the Atlassian groups that are controlling product access.

Connecting both Atlassian Access and Jira Cloud

It’s not a problem if you connect Atlassian Access as well, but unless you want to use the Atlassian Access SCIM API, it’s not necessary since the Jira connector uses the same Atlassian Admin APIs to retrieve the data it needs.

If you do connect both, bear in mind that currently Trelica won't reflect a deprovisioning change in Jira in Atlassian Admin until the daily resynch with Atlassian Admin.

Related to

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.