Jira Cloud

The Jira Cloud integration provides specific actions to create Jira Service Management requests from workflows, and for updating any kind of Jira issue.

If you don't subscribe to Atlassian Guard, the Jira integration also provides user management automation beyond what is possible using the Trelica Atlassian Cloud integration.

Background

How does Atlassian manage cloud users?

Atlassian has centralized all Atlassian Cloud user management through the Atlassian Admin portal (https://admin.atlassian.com).

The Admin portal lets you create a directory of users and assign them to groups. Because groups can be assigned to different Atlassian products you can control product access by assigning or removing users to or from groups.

This gives a flexible model, particularly if you use multiple Cloud sites (i.e. separate instances of Jira).

Commercially Atlassian offers the Admin portal for free on the basis that management is largely manual.

Automating management with Atlassian Guard

If you want to automate user management you need to subscribe to Atlassian Guard which supports SAML2 Single-Sign On and directory management using a SCIM API.

Atlassian Guard works particularly well in combination with an IdP like Okta which has strong SAML2 and SCIM support.

If you're already using Okta or another IdP for SCIM provisioning, we recommend deprovisioning through that IdP, e.g. using the Okta Disassociate user from App Trelica workflow action.

The Trelica Atlassian Cloud integration can also connect to the Atlassian SCIM API and lets you provision, deprovision and manage group membership.

The Atlassian SCIM interface only lets you manage groups created through the SCIM API, so the first time you connect Trelica to Atlassian Guard it will create groups for you with names based on the Atlassian products you are subscribed to. You should assign these groups to their respective products and then adding a user to the group will grant them access to the product.

What if you don’t pay for Atlassian Guard?

Creating users

The Jira API does not officially support user account creation. However, there is a documented Jira API endpoint that will create the user in Atlassian Admin with access to selected Jira products, and email an invitation to the user.

This only works with Personal Access tokens (PAT), so you will be prompted to generate an additional access token if you enable this functionality when connecting to Jira from Trelica.

To create a PAT choose Manage account in Jira Cloud:

Then go to Security and Create and manage API tokens:

Full user management is available via the Atlassian Admin APIs (using SCIM) but this requires an Atlassian Guard subscription.

If you are using Google Workspace, we recommend using the Atlassian Cloud Google Workspace synchronization feature to automatically provision Atlassian accounts. Find out more https://support.atlassian.com/provisioning-users/docs/set-up-g-suite/

Assigning users to products

There is no Atlassian Cloud API for controlling access to normal Atlassian groups, so normally you have to manually assign users to Atlassian Cloud groups to control access to individual Atlassian products. This is presumably to encourage organizations to pay for Atlassian Guard if they want to automate access management.

However the native Jira APIs used by the Jira Cloud integration allow you to add or remove users from Jira groups. Changes in Jira group membership automatically get synched back to Atlassian Cloud.

This means you can add or remove users from Jira products using Trelica workflows. 

Deactivating users

When you connect the Jira Cloud integration you have the option to also enter an Atlassian Admin API key. If you do this, then Trelica pulls usage and product data from the Atlassian Admin portal.

Even without Atlassian Guard, the Atlassian Admin API key allows the deactivation of Atlassian Cloud user accounts.

If you deactivate a user they will be removed from all Atlassian Cloud products and you will not pay for the seat. Reactivating the user restores them to their original groups.

Multiple Jira Cloud sites

The Jira connector uses OAuth2 to connect to an individual Cloud Site. If you have multiple Jira properties (e.g. site1.atlassian.net and site2.atlassian.net) you will need to connect to each one separately.

As well as the ‘umbrella’ "Jira Cloud” app in Trelica, you will see your various Atlassian products and their associated users and usage data for each Cloud site. For example, Jira Service Desk and Jira Software will be shown as separate Trelica apps.

If you’re not paying for Atlassian Guard we recommend not connecting the Trelica Atlassian Cloud integration but instead using the Jira integration to connect to each of your Jira Cloud sites.

If you have entered an Atlassian Admin API key you will be able to deactivate users from Trelica. If you use multiple Jira Cloud sites, bear in mind that the user will be deactivated centrally in Atlassian Admin, so will no longer be able to access any Jira Cloud site.

If you manage multiple Jira Cloud sites, but want to remove access from a single Cloud site, then you should remove the user from the Atlassian groups that are controlling product access.

Connecting both Atlassian Guard and Jira Cloud

It’s not a problem if you connect Atlassian Guard as well, but unless you want to use the Atlassian Guard SCIM API, it’s not necessary since the Jira connector uses the same Atlassian Admin APIs to retrieve the data it needs.

If you do connect both, bear in mind that currently Trelica won't reflect a deprovisioning change in Jira in Atlassian Admin until the daily resynch with Atlassian Admin.

Updating a 'New joiners' field

Jira Service Management is often used for processes around onboarding. Trelica can initiate Jira requests as part of onboarding but you may have manual Jira processes that need to reference new joienrs.

To support this there is a Trelica workflow action for Jira which will update a Jira dropdown field with a list of new joiners.

Staff can therefore initiate onboarding tickets in Jira, assigning them to the correct new joiner email, which also helps if you then trigger Trelica workflows from Jira automations as Trelica will be passed the correct email address to identify the user.

To configure an appropriate field in Jira:

  1. Click the Settings 'cog' at the top-right.
  2. Choose Issues under Jira Settings.
  3. Choose Custom fields:
  4. Click Create custom field in the top-right and search for Select List (single choice).
  5. Click Next.
  6. Enter a name for the field (you will need to enter this into Trelica later). You will also have to enter at least one option. This can be any text as Trelica will remove this automatically later when the workflow step first runs.
  7. Click Create
  8. Use the checkboxes to assign the field to at least on screen, e.g. Default Screen.
  9. Click the Update button at the bottom of the screen when you are done.

In Trelica you can now add the Update new joiner custom field workflow action. Enter the field name that you just created in Jira.

Related to

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.