Setup Intelligent User Manager (IUM) in Confluence

The checklist provided here is intended to help you with the configuration and functional testing of IUM.

• IUM4Confluence Checkliste - english.pdf
• IUM4Confluence Checkliste - german.pdf

In the first step, two new groups (IUM enable and IUM disable) are created under "Confluence administration" - "Users & Security" - "Groups" (alternatively, other names can also be used),

• Sense of the two new groups
  
  • Casual users will later be moved to the IUM disable group (power users remain in their original group).
  • If occasional users need a licence, IUM temporarily copies the corresponding user into the IUM enable group and the user is assigned a licence.

• Under "Confluence administration" - "Users & Security" - "Global Permissions", access for the IUM enable group is now added.
  
  
  

• User Directories
  If the "Confluence Internal Directory" is not used, the LDAP permissions ("Confluence Administration" - "Users & Security" - "User Directories" - "Edit") must be changed to "Read Only, with Local Groups".
  
  

• The actual configuration is then carried out under "Confluence administration" - "IUM for Confluence" - "Configuration".
  • Group Settings
    
    
    
    
    • IUM enable is selected under "IUM Application Access Group" and IUM disable under "IUM User Group".
      (or the corresponding self-assigned names)
      
      
    • Several group pairs can also be created (please note that the groups are only used once)
      If there are several group pairs, it is important to ensure that a user is not in several IUM user groups.
      
      
    • Shared Licences" indicates the number of licences to be managed by IUM.
      
      
    • Licenses reserved for API request
      Licenses for API requests can be reserved here (default value is 3 because of internal IUM requests)
      
      
    • under "Available licences for IUM" you can see the number of licences that are still available for IUM
      
      • License tier - user with a fix license - api licenses - shared licenses = available licences for IUM
        (for unlimited licence tiers, a value of 150,000 (licence tier) is set for IUM)
        
        
    • Queue Timer 
      Time in minutes displayed in the queue until the next login attempt
      
      
    • Inactivity time in minutes
      A user must be inactive for at least this time before being removed from the Access group.
      
      

• Design
  • Logo:
    You can upload your own logo up to a maximum of 3 MB.
    
    
  • Height
    The height of the image can be used to adjust the size of the logo for later display
    
    
  • Queue message:
    Here you can define your own message for the queue display.
    
    
  • Temporary disconnect:
    If "Automatically allocate a free slot" is activated for the removal jobs, this text will be displayed after the queue timer has expired.
    
    
    

• Rest
  • The entry /rest/api is already stored internally by default and do not need to be added to the rest-api configuration field. In case you add it, it will be hidden
  • additional api's can be entered here (e.g. /rest/scriptrunner)
    
    
• There are two options for user management (adding users to the IUM user group).
  The easiest way is via Automatic User Sync
  
  
  • Automatic User Sync Job

    • A job can be set up here that synchronizes the users from the selected origin groups into the IUM user group. The users remain unaffected in the original groups.
      Users with a fixed license from another group and deactivated users will not be synced.
      
      
      
      
      
      

    • The User Sync can be executed for one or more group pairs (depending on which group pairs were defined in the IUM group configuration).
      
      

      • Original Group
        The original groups can be selected here.
        
        
      • IUM User Group
        Here you can choose between the ium user groups defined in the group configuration
        
        
        
        
      • Execution intervall
        Execution times 1h, 2h, 3h up to 24h

        
        

      • Start time
        The start time of the automatic removal can be set here (the time refers to the server time)

        
        

      • Enable/Disable job

        • next running time (the time refers to the server time)

        • Server Time (Current Server Time)
          

        • Last execution date
          
          

      • Manual job
        Execute the User Sync process once.
        
        
        

  • The second option is to move the user manually
    
    User Management
    
    
    • This is where the actual moving of users into the group managed by IUM takes place.
    • Under "From Group", the group in which the current users are located is selected.
    • Under "To Group" the IUM disable group is selected.
    • After clicking on "List", a list of users from this group is displayed.
      
      • The users displayed are sorted in descending order according to their last activity.
        (thus, the occasional users can be sorted out little by little)
      • The number of users displayed can be set under "Number of Users".
        
        

• • • Now the users that are administered by IUM are selected via the selection field.
      (no power users should be selected here, but the occasional users should be gradually sorted out)
    • With the "Move" button, the selected users are now moved.
    • The "Copy" button is used if the IUM disable group is made up of individual permission groups and does not have its own application access.

• • • Moving users cannot be undone!
      
      

• • • After confirming the process, you can check under "Confluence administration" - "Users & Security" - "Groups" whether the selected users have been moved to the IUM disable group.
      (the unselected power users remain in their old group)
      
      
    • please check: It is important to ensure that there are no users with a permanent license (e.g. from another group) in the IUM groups (enable/disable).
      
      
• Automatic removal

  • Activates the automatic removal of users from the IUM access groups if the last activity is greater than the duration entered in the group settings.
    
    

• • Inactivity time in minutes
    Here you can define the inactivity time a user must be inactive to be removed from the access group.
    
    

  • Execution intervall
    Execution times 1h, 2h, 3h up to 24h

    
    

  • Start time
    The start time of the automatic removal can be set here (the time refers to the server time)
    
    

  • Automatically allocate a free slot
    Disable automatic reassignment of a license after removal due to inactivity.
    (you can enter your own text for the queue under design)
    
    

  • Enable/Disable job

    • next running time (the time refers to the server time)

    • Server Time (Current Server Time)
      
      

  • Manual job
    Click run job to purge the IUM access groups once (if the last activity is greater than the duration entered in the group settings, the user is removed from the access group).
    
    

• Group Level Removal
  • With group level removal, users are removed from the Access group once the Access group has reached a certain level. Once this is reached, the users who are over the inactivity time will be removed from the Access group.
    The fill level of the access group is checked every 5 minutes (the next check time is determined after the respective run)
    
    
    
    
  • Inactivity time
    Time that a user must be inactive before being removed
    
    
  • Group Level
    from this level users will be removed (no removal will take place beforehand)
    
    
  • Max User
    Maximum number of users that can be removed
    
    
  • Automatically allocate a free slot
    Disable automatic reassignment of a license after removal due to inactivity.
    
    
     
•  SAML
  • IUM supports single sign-on services such as ADFS, Azure, Google or Okta. (How to setup)

Control

• Two users have now logged in. (User1, User2)
• Under "Confluence administration" - "Users & Security" - "Groups" - "ium enable" you can see that the two users have been copied to the IUM enable group and therefore have access to Confluence.
• After logging off, the user is automatically removed from the IUM enable group and the licence used is free again.
• If a user simply closes the browser (without logging out), he or she remains in the IUM enable group until the licence occupied by him or her is needed.
  Only at this point will they be removed from the IUM enable group.
  
  

• Since in this example only 2 licences were made available for administration by IUM for "Queue Size", the following display appears for the third user third user the following display appears.
  
  
  
  
  

• After the waiting time has expired, the user with the longest inactivity time is moved to the IUM disable group, his or her used licence is released again and the waiting user is logged in.
• If a logged-in user is inactive for longer than the time specified under "Duration in minutes", this user is moved directly to the 
  group IUM disable and his used licence is directly passed on to the new user.
  (The queue would not be displayed in this case)