Sailpoint integration with Atlassian cloud default group issues

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hello All,

Currently we were integrated SailPoInt IIQ with Atlassian Products(Jira, Confluence) by using OOTB Atlassian Cloud Connector.We are able to perform all the operations(Create User, Add Group, Remove Group etc.) without any issues.

Application team raised few concerns about the Default Groups, whenever user created the assosiated default groups are adding automatically, they don’t want this, they just want to create the user without default product groups whenever Create User functionlity triggered in Sailpoint.

I see in the connector documentation it’s the default behaviour(The Jira Administrator can manage the Default Access group associated with different products. Users created from IdentityIQ are automatically assigned to the default Product Access Groups enabled on the managed system.).

My question is there any other best approches to alter the Atlassian Cloud connector source code to meet this requirement?, i given the below possiblities to the application team.

  1. We have an additional feature(After Provisioning Rule) to inject a piece of code on success of account creation in Managed system without touching the connector source code, by using this we can able to remove the default groups on success of Create User operation (It means user will create with default groups and immediately that default groups will remove by using the after provisioning rule ), for this we need to implement a Customized Rule and need to test.

  2. The final approach is Implementing a new protocol based Web Service connector instead of OOTB connector, this connector will consume your API calls(Version 2) and perform the CRUD operations, for this approach we will have full control on modifying the Request Endpoint URL’s, Headers, Request Body and Response Body to meet the requirement, but its time consuming process due to an end-to-end connector implementation is required.

I believe SailPoint doesn’t add those groups, as they are default groups that should exist for every account. If the requirement is to exclude those groups, your current approach is appropriate. Another suggestion is to implement an additional rule as a fallback, checking for any accounts with default groups. If found, use this custom rule to remove them. This extra step ensures that no accounts retain default groups in case of errors during the post-provisioning rule execution.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.