問題

You want to allow Crowd to only pull in users that have been manually approved by an admin.  These users are not members of a particular group in the LDAP or Active Directory, so Crowd is set to pull all users via a delegated directory.  However, some of these users do not have permission, and so accounts should not be created for them.

例:

We have 2 users:

• User A
• User B

Both users come from a remote LDAP/Active Directory server, and the Crowd administrator has no rights on that remote directory.  User A has requested, and been granted, permission to access Jira.  This was handled via a Crowd admin manually adding their account to Crowd. User B has not requested, or been granted, any permissions.

If User B attempts to log in to JIRA, they will be denied, as they do not have JIRA access.  However, because they come from a delegated directory, an account is created for them in Crowd.  During the next sync, that account is copied to Jira.  User B still has no access, but now shows up as a user in both Crowd and Jira.  

環境

• Crowd

  • No group membership is currently auto-assigned in Crowd
• A Remote LDAP or Active Directory server setup in Crowd as a Delegated directory
• A connected application, such as JIRA or Confluence

原因

Because the remote directory is set up as a a delegated directory, it does not sync users, but instead only pulls them down when they attempt to log in.  Since User B is attempting to log in, an account is created in Crowd, even though this user has no permission to access any application.

回避策

Since there is currently no way to set Crowd to require approval for new users, we can work around this.

• First, set Crowd to auto-assign all new users to a particular group.  This can be any group of your choice, but should only be used for this purpose.  Let's call this group unverified.

• When a new, un-approved user tries to sign in, they will be assigned to the unverified group.  You can periodically delete all members of this group either via the Crowd UI, or through a custom automation using Crowd REST API calls.

• For approved users, they will need to be added manually.

  • When creating a user in the Crowd UI, make sure to click on the 'Attributes' tab after creating the user.
  • Add a new attribute called: autoGroupsAdded and set the value to true.  This will prevent the auto-add group process from running when the user first signs in.

So, unapproved users can be easily deleted from the unverified group, and manually added/approved users will have no problems.