Workflow and Efficiency
Making your organization more efficient can be challenging if your products don’t have the right capabilities. Thankfully, Data Center’s got you covered.
2. User Management
As an admin, you’re the gatekeeper to all of your team’s mission-critical products. You’re responsible for getting your teammates access to the right things in a timely fashion, while also ensuring that you aren’t giving them access to things when they don’t really need to have access to them (hey, software ain’t free and maintaining the security of your instance is paramount).
And while that may seem like a simple enough task, being the admin of a self-managed environment, coupled with legacy systems, often makes this one of the most challenging and time consuming areas of IT administration
in the enterprise. The main reason that user management is so challenging is because it’s often based in practices and processes that were easier to handle when the organization was smaller.
Before your organization started to scale, you could rely on team leads to keep track of licenses and user access with a spreadsheet. This reduced admin overhead and allowed teams to get access to their products faster. Additionally, team members or team leads could reach out to your IT team directly to get access to the products they needed. You were able to provide them with a license key and - boom - all set.
As the organization continues to grow and team leads start to take on more responsibilities, using a spreadsheet to track your user’s access or responding to software requests ad hoc isn’t sustainable or efficient. And while software audits have always occurred, the cost of being out of compliance with your software vendors is exponentially larger at scale.
Essentially, these outdated practices and processes, along with limited visibility into user groups, unknowingly continues to contribute to poor user management practices. Now, you spend a good portion of your day focused on troubleshooting user access and managing all of your user groups, which is unsustainable at scale and prevents you from focusing on what’s ahead.
1 Clean up your user groups
Realistically, you’re not starting out with a new instance. You already have a large amount of data and users using your products. To get yourself back on track, you need to clean up your user groups. The first thing that you need to do is understand what groups are up-to-date and being used. To do this, use SQL queries to search your database. Here are some examples of queries for PostgreSQL. After you have this information, you can start to work with your IT team to remove duplicated or unused user groups. Once you’ve gone through and done this cleanup, you can start to optimize your organization’s user groups to ensure that teams get the software that they need to deliver on their objectives.
Pro tip
Crowd Data Center has centralized license visibility, which allows you to verify the actual license consumption in all Atlassian products in your environment.
For more information, check out the Crowd User Guide.
2Build lasting processes and practices for scale
Every good cleanup effort can be thwarted if it isn’t followed up with processes and practices to match and your user management cleanup is no different. However, the user management process that you create not only needs to meet the needs of your IT team, but also the needs of all the teams you support across the organization.
Build an infrastructure for IT
When it comes to user management, it’s up to you and your IT team to decide what process makes sense for your organization.
User management became so complex because users could reach out directly to admins when the organization was smaller. As your organization grows, trying to provision software to your teams manually becomes both time consuming and costly. You run the risk of provisioning software to the wrong people, or potentially forgetting to account for licenses because it gets lost in your busy day. Either way, it’s not an ideal way to spend your busy people hours.
That’s why many IT teams have implemented a standardized process where their teams can request access to software. This model allows IT to respond to requests promptly, while also ensuring that they can track the information.
For our self-managed admins, such as yourself, we have Jira Service Management Data Center.
Jira Service Management is a collaborative ITSM solution that you can customize for your teams. Rather than messaging you ad hoc, teams can submit a software request. The request is placed in a queue and assigned to someone on your team depending on the priority of the request. Your team can then easily fill the request based on your predefined SLAs, which makes it easier on both you and the teams you support.
Build lasting processes and practices for scale
How many products are used in your organization? 400? 500? While not every person in your organization is using every product, they’re still using a fair amount and each of them requires their own password. For your teams, there is nothing more frustrating than trying to guess what that password is and everyone has gone through the dreaded password reset. It’s time consuming and it can lead your teams to take part in some not so secure practices, such as writing their password on a piece of paper. As the admin of a self-managed environment, it’s your job to make this process easier and more secure for your teams.
A common way to manage this problem is to implement single sign-on (SSO). SSO allows your teams to login using a standard set of credentials across multiple (yet independent sites), which shares their credentials across a network. For your Data Center products, you can use Atlassian Crowd as your SSO provider. With additional security layers built-in, create a seamless and secure way for your teams to log in to all of their Data Center products.
Authentication built directly into the products
Data Center is also built with SAML and OpenID Connect support, both leading authentication protocols. With SAML and OpenID Connect (OIDC), your teams can access multiple products with a single set of credentials, but the security of your instance is still maintained. Both use a single point of authentication, which means that your team’s credentials stay behind the firewall, thus reducing potential security breeches. While there are several other nuances between the two, one of the main differences is that OIDC sends JSON security tokens over REST APIs to communicate with HTTP channels, while SAML uses XML messages over SOAP APIs.
Both SAML and OIDC are authentication layers built on top of the OAuth 2.0 authorization framework. With OAuth 2.0, applications can access information on other authorized applications without your team having to provide their credentials.
Currently Data Center supports OAuth 2.0 for incoming mail, but we are contining to build out additional support.
Once you’ve implemented a standard way for your teams to login, you can being to streamline how your users get access to their products. While using an ITSM solution like Jira Service Management should be part of your user management process, you can also implement JIT provisioning. JIT provisioning allows new users to creates an account when they authenticate onto an application for the first time using either SAML or OIDC for SSO. By building JIT into your user management process, you can reduce the amount of admin overhead required to provision user access, while also maintaining the security of your instance.
Think about security
As you’re building your processes and practices, it’s important that you remember to factor security into your user management process. With aggressive business objectives, you and your IT team are tasked with getting the organization access to their software faster. However, if you don’t build security into your process, while you may get your teams software quicker, you run the risk of compromising your organization’s security position.
It may sometimes seem easier to give certain team members, such as team leads, global permissions, but it can leave your application less secure. To set yourself up for success, audit your users permission levels and determine if they are accurate. If they aren’t, change the level to what’s appropriate for their role.
Here are some things you should consider when you audit your user groups:
- What software is required for each of your teams?
- Do any of your teams currently have access to software that they don’t need for their role?
- How many team members currently have global permissions?
- What is the highest level of permissions your teammates need based on your organization’s security requirements?
Pro tip
Learn about Confluence permissions and how to enhance your security position with it.
3 Ensure change with visibility
Once you’ve built out your processes, you need to ensure that your user groups continue to be up-to-date and that your teams have the correct permissions for their roles. To gain this insight, you need monitoring and reporting on the events in your instance.
As we mentioned in our monitoring and reporting section above, Data Center has advanced auditing capabilities, which record all the events that occur within your instance.
Advanced auditing logs events such as:
Adding a user group
Deleting a user group
Changing a user’s permissions
You and your team can see these events logged in the real-time and quickly resolve any issues if they are against your process. Check out our advanced auditing whitepaper for more information.