We have Atlassian Cloud with Jira and Confluence. The AC user management is Centralized Management. The connector we are using is the OOTB or the Named Connector for Atlassian Cloud using the VA.
We have a Sandbox directory where we have 40 users.
Our production system has 38K users.
This is a new source setup.
We do not have a separate domain for test env., just the separate directory specified as the sandbox.
The Source is currently setup as Read Only because we do not want to touch production user until we know we are connecting to only sandbox.
We have created a user in the User Directory, and are using it, with its associated Site Admin API Token, for connection to AC. This Site token only has permissions to access the sandbox, according to our Atlassian Cloud admin.
We have tried:
Creating an Atlassian Cloud Service account but the Connector errors upon testing the connection.
We have tried different users.
We have tried removing the Org Admin Token (leaving it blank)
When we Aggregate we always get 38K users. We want to be able to connect to just the sandbox. Please let me know what we are doing wrong or how we have this misconfigured. We don’t really want to go the Web Service connection route unless we really have to. Thank you!
I believe that even though you’ve scoped an API token for a specific directory, the Atlassian Suite SaaS connector queries users based primarily on the Site URL. I believe Atlassian centralizes users at the Organization/Site level, the endpoint will return all users associated with that specific Site URL. This may be why the aggregation is pulling the full 38,000 production users instead of just your 40 sandbox users.
I don’t care for the account filter, but since it is multi-valued and it is only 40 accounts, you might try filtering only for those accounts.
I believe under Additional Settings you can specify an account filter listing them all out: jim.schnitter;sandy.swanson;aaronb;james.sampson; and so on
I appreciate your response. After a ton of further research and reaching out to our Atlassian Cloud support, what you described is exactly what is happening. When Atlassian Cloud is setup for Centralized User Management, it does not matter if you have a sandbox directory. It will always pull all the users from the central user store.
There are two ways to get around this if you want a true test env.
Have a separate tenant with a test domain setup in Atlassian Cloud.
Use the Web Services connector instead of the named connector. You will have to configure everything but at least you can connect to the test endpoint.
Hi Shantanu,
Thank you so much for the idea and suggestion. It was something I had considered but was not sure it would work in our environment.
I did do some testing and it seemed to work well. However, talked to our Atlassian Cloud team and SailPoint team neither do not want any test users in PROD.
We have decided to go the DEV and QA domain route. The company already has some extra domains that we can use.
