17 min read

Atlassian SSO: Onboarding & Offboarding Contractors (5/5)

By Katie Thomas on Apr 7, 2021 9:45:00 AM

Blogpost-display-image_Resolution Blog Series, Pt. 5-1

Praecipio Consulting has partnered with our friends at resolutionan Atlassian Gold Marketplace Partner based in Germany that specializes in software development and network security, to bring you a series of blog posts about how to successfully implement single sign-on (SSO) with Atlassian tools. With more than 7 million users from 58 countries, resolution is the market leader for Atlassian Enterprise User Management Apps.

In the last article of these series on the journey to Atlassian SSO, we followed the steps of ACME, a company with large instances of Jira and Confluence on prem, planning a migration from AD FS to Azure AD.  

In particular, we had a detailed look at: 

  • How users from the Atlassian directories can be seamlessly migrated into Azure AD building a no code integration with User Sync 
  • How users can be mapped between Azure AD and the Atlassian applications even if usernames don’t match 
  • How to connect users from different organizations (ACME and CU.com, a consultancy firm) each with its own Identity Providers, both for authentication and provisioning purposes. 

In order to complete the setup, however, ACME needs to add some restrictions to CU.com users to answer the following questions:  

  • Who at CU.com must have accounts in ACME’s Jira and Confluence? 
  • How long should access be retained? 
  • How should access be revoked? 

Let’s look at how to automate the process for onboarding and offboarding consultants so that these are the answers: 

  • Who should have accounts? Only contractors assigned to active projects. 
  • How long should access be retained? Only for as long as the project is active. 
  • How should access be revoked? Automatically, as soon as the project concludes. 

How to provision only contractors assigned to active projects 

Let’s quickly recap what ACME needs to set up: 

Challenges 

  • Access to ACME’s Atlassian tools should only be granted to consultants who have been assigned to specific projects 
  • Consultants have a quick turnaround. It’s important to give them access quickly and deactivate them as soon as their assignments conclude. 
  • It’s also vital to ensure that consultants only occupy licenses of the Atlassian products while they´re on an active assignment. 

Implementation steps 

The approach has four steps 

  1. The group that gives consultants access will be operated from Contractor’s Okta and filtered in ACME’s User Sync connector. 
  2. Specific project permissions and roles in the Atlassian applications will be managed locally.  This has important implications, as the Okta and local group settings must coexist and not overwrite each other. 
  3. The synchronization between Okta and ACME will be scheduled to run every night (but users will also be updated when they login, eliminating waiting times entirely). 
  4. As a result of the synchronization, consultants who no longer are on active assignments will have both their access and their licenses revoked. 

Here’s the walkthrough: 

1. In the Okta User Sync connector configured in the section above, ACME adds a filter so that only consultants in a specific group are passed and enabled in Jira 
  • Go to User Sync > Azure AD Connector > Edit > Advanced Settings 
  • In Groups mandatory to sync a user, create a new entry group filter user sync
  • Add the group active-acme-jira-project Filter by active project
2. Now we need to tell User Sync which local groups may be added locally in Jira to these contractors. These are the groups that define what projects contractors have access to, and which roles they fall under.  

It's extremely important to add this information! Failing to do so results in removing access  to Jira projects:  

  •  every time the contractor logs in 
  •  with each user sync. 

However, we can protect groups in both contexts from the User Sync connector,  

  • To protect the groups in the connector, we go back to the Advanced Settings and add all the groups used to give permission to Contractor Unlimited consultants in the Keep these Groups field. Note that you can either include every group, or regular expressions, if there are any patterns. keep groups 
3. Now, we will schedule the synchronization at regular intervals to happen every morning at 3am using this cron expression: 0 0 2 ? * *schedule user sync with cron 
4. Finally, we will tell the connector to deactivate contractors who have finished their assignments so that they don't consume any licenses.  
  • In the cleanup behavior dropdown, select disable users. cleanup behavior disable users

What does this last step mean? Consultants will be automatically deactivated in Jira and Confluence following this process: 

  • When an assignment concludes, the consultant is removed from the active-acme-jira-project group 
  • At 3am, the user sync connector runs 
  • The user is removed from the active-acme-jira-project group in Jira, together with any other changes. 
  • As a consequence, the user is deactivated in Jira. 

Bonus trick: With the right SAML setting, if the consultant logs into Jira after they have already been removed from the active group, the login will succeed but will also result in the deactivation. 

We reached our destination! 

Congratulations! You have finished the journey to Atlassian Single Sign-On! Hopefully by this time you are on your way to an implementation that will last for many years to come. 

The sample implementation in the last two articles has offered a selection of very popular options among Atlassian on prem customers. As you have seen, User Synchronization is very often a cornerstone of the implementation, since it permits to use the Identity Provider as a single source of truth to automate user on- and offboarding. At the same time, it’s compatible with multi-IdP setups and access provision to partner organizations. 

However, the example is just that – an example. And it might be very different to what you need to solve. 

How can we help you? 

If you have any doubts or need help with advanced technical issues, there are several next steps. 

  • Our friends at Praecipio Consulting will be happy to help you get up and running. We go way back with a long history of shared implementations.  
  • If you need help configuring the resolution SAML SSO application or the User Sync standalone that can be combined with the Data Center SAML, we provide free screenshare sessions every day. 

Excited to see you there, very soon! 

Topics: atlassian optimization practices security collaboration human-resource sso
3 min read

The Cost of Quality

By Praecipio Consulting on Aug 24, 2009 11:00:00 AM

The Cost of Quality (COQ) business model describes a method of increasing profits without increasing revenues.

Here’s how it works: COQ increases profit by shrinking business costs. If your business has a 5% profit margin, for example – and you decrease costs by 5% – you’ve doubled your profits. That’s simple enough, but how do you decrease costs?

COQ identifies the importance of shrinking costs without taking the usual cost-cutting measures like not buying everyone’s favorite pens or not stocking refreshments in the break room — the “let’s avoid morale buzz-kills to save a few bucks” approach to increasing profit. Instead, COQ promotes lessening mistakes and increasing business process efficiency.

Companies adopt and tweak COQ to reflect their business goals and in turn their profitability. The model applies to not-for-profit businesses too: budgets are tight; grants, revenues, or contributions may not increase, but the same valuable services need to be delivered with less and less money, right?

COQ is made up of three elements: conformance costs, non-conformance costs, and opportunity costs. We’ll explain these before we explain the rest of what the graphic illustrates:

Conformance Costs

  • Communicate
  • Review
  • Report
  • Status-Check
  • Inspect
  • Train
  • Validate
  • Benchmark
  • Test
  • Prevent
  • Plan
  • Preinstall
  • Check
  • Audit
  • Appraise
  • Survey
  • Evaluate
  • Proofread

Non-Conformance Costs

  • Fix
  • Repair
  • Rework
  • Retrofit
  • Revisit
  • Overstock
  • Re-do
  • Refer
  • Reorganize
  • Scrap
  • Error
  • Constraint
  • Incorrect
  • Excessive
  • Late

Opportunity Costs

  • Under-utilize
  • Cancel
  • Downgrade

Notice these three cost categories are not associated with the cost of producing the output. Materials needed to assemble a product (labor, supplies, etc) are not included. The three elements merely reflect the costs associated with the business process. As we always say, “the profit’s in the process.” The efficiency of your business processes determines your efficiency as a business. If you’re going to maximize your efficiency and profitability, you need a sound understanding of the cost of quality.

Think about it: process is where value is added and where profit is made. Consumers don’t squeeze oranges to make juice anymore. Okay, maybe on rare occasion, but who cuts down trees and processes timber as a raw material to make paper?

The cost of quality is associated with the cost incurred to ensure process outputs (products and services) meet customer requirements. For example, let’s say Company A manufactures pens, a process that takes ten steps to complete. About half of the time, the process works effectively, and high-quality pens are made. The other half of the time, however, is plagued by faulty manufacturing— lackluster execution in the assembly process. As a result, Company A has to keep half of its pens in its shop for a bit longer for fixing/repairing, incurring non-conformance costs. This leads to a lack of consistency. Ultimately, this waste is passed onto the customer with an increased price per unit and/or inferior product— making it more and more difficult to compete.

That’s why COQ’s biggest cost adjustment occurs in reducing non-conformance costs— tightening the process and ensuring customer requirements are met. This may require spending extra money to do some work over again.

Now, to run through the graphic:

  • Conformance costs are important and help ensure a business’ success and stability. when optimizing your business, conformance costs should stay the same or in many cases increase.
  • Non-conformance costs, as we’ve mentioned, need to drop significantly— though you can never expect to be without them, strive to get rid of them.
  • Opportunity cost is the value of the next best choice. It’s the “what could have been.” If a business is suffering from non-conformance costs, the “what could have been,” is higher in the left portion of the graphic, where non-conformance costs are much higher. If a business is succeeding financially, there is little “what could have been,” therefore reducing the opportunity cost.
  • Operating costs are constant. They’re the costs of a business’ building, utilities, licenses, etc— which fluctuate, but not enough to factor into this model.
  • Profit looks like this: $$$. Reducing non-conformance generates more $$$.

So, how do you reduce non-conformance? Remember: the $$$’s are in the process.

Would you like more from us? Contact us here.

Topics: blog bpm business efficiency library management practices predicatability process services technology value continuous-improvement information infrastructure-system-admin it itil itsm operations

Praecipio Consulting is an Atlassian Platinum Partner

This means that we have the most experience working with Atlassian tools and have insight into new products, features, and beta testing. Through our profound knowledge of Atlassian environments and their intricacies, we can guide your organization as you navigate these important changes.

Atlassian-Platinum-Solution-Partner

In need of professional assistance?

WE'VE GOT YOUR BACK

Contact Us