When you click on "Accept all cookies"click, you agree to the storage of cookies on your device to improve website navigation, analyze site usage, and support our marketing efforts. For more information, see our privacy policy.

Privacy preferences

When you visit websites, they can save or retrieve data in your browser. This storage is often required for the basic functions of the website. The storage can be used for marketing, analytics, and website personalization, such as saving your preferences. Data protection is important to us, so you have the option to disable certain types of storage that are not necessary for the basic function of the website. Blocking categories may affect your experience on the site.

Reject all cookies Allow all cookies

Manage consent preferences by category

Essential

Always active

These elements are required to enable the basic functions of the website.

marketing

Essential

These elements are used to deliver advertising that is more relevant to you and your interests. They can also be used to limit the number of ads shown and to measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the website operator.

Personalization

Essential

This data allows the website to remember choices you make (such as your username, language, or the region you are in) and offer enhanced, more personalized features. For example, a website can offer you local weather reports or traffic news by saving data about your current location.

Analytics

Essential

This data helps the website operator understand how their website works, how visitors interact with the website and whether there may be technical problems. This type of storage generally does not collect information that identifies a visitor.

Confirm and close my settings

Atlassian standard permissions: How do I protect my sensitive data?

Anna Schmassmann

1.5.2023

With this blog post, I would like to draw attention to Atlassian's position regarding the availability of information. Atlassian believes that information should be available to all users of a product. I support this approach in principle. However, certain projects or areas (e.g. HR topics) may contain sensitive information and should therefore not be visible to all users. Especially among newcomers to the Atlassian world, I sometimes notice that the general concepts are not (yet) known and authorizations are unconsciously given too openly.

3 stumbling blocks are listed below and described how best to avoid them.

Approved domains in the Atlassian cloud

When a new person is added to the admin area, we can immediately approve the entire domain. When adding someone new, we see the following pop-ups:

If we click "Approve" in the second step, it means that in future, all accounts with this domain's email address will be able to access the Atlassian site without having to add them.

This can be very handy if the domain is a small company and you actually want everyone to work in the Atlassian Cloud. This means that we don't have to record employees individually, but can regulate it via the domain.

But even for small companies, this overall permit may allow us to quickly reach the limits of available licenses.
Another, arguably bigger problem is that the site can also contain information that should not be visible to the entire company, but only to a team. And to do this, we actually want to make sure that only people who we've actually added have access.

My tips

Tip 1: Read pop-ups

I know that Atlassian shows a lot of pop-ups and sometimes you just click on the biggest, colored button because of all the warnings and information (this is not just the case in Atlassian products). However, I recommend that everyone read through the pop-ups. This is especially true in the admin area of Atlassian - only what is actually desired should be approved.

If it is too late for tip 1, or if it is too tedious to implement, you can fix everything later with tips 2 and 3.

Tip 2: Check approved domains

The approved domains can be found in the admin area under Products > User Settings. All listed domains can be checked regularly for errors. So just click on "Edit" and check whether the settings are correct. Do we really want to give access to all accounts on a domain if admin approval is not activated?

Tip 3: Respond to notifications

By default, Atlassian sends an email to the organization admins when someone gains access, or rather gains access. So when we receive a notification that someone has access that we don't have permission to, we should respond immediately. That means we check the approved domains (see tip 2), edit the misconfigured person and remove them.

Default permissions in Jira

Basically, it's important to know that Atlassian gives all licensed people access to all content by default. If this is not desired, action must be taken.

The Default Permission Scheme is configured in such a way that many rights are granted to all logged-in users. This means that all logged-in people can also create tasks in all projects and, by default, they also see all tasks in all projects. Under certain circumstances, this may not be desired. Therefore, if restricted authorizations are required for individual projects that contain sensitive data, a new authorization scheme must be created. I recommend going through all the different rights in the scheme and considering who should have these rights. It is best to assign the rights to the project roles so that a scheme can be reused by different projects and still authorize different people. Further information on project permissions is available in this blog post.

Here the listing and explanation of available Atlassian permissions. The list is for company managed projects in the cloud, but also applies to data center/server products.
The most important permission for me is "Browse Project", as this governs who can see processes in a project and who cannot. The other authorizations are then often dependent on this and it is not so bad if the wrong users grant them. Because if I don't see a process, I can't edit it.

Especially in the cloud: Team Managed Projects

In addition to Company Managed, there are also Team Managed projects in the cloud. This gives teams the opportunity to manage their projects independently without having to touch the general Jira configuration.

But even with these projects, all people on a Jira site are authorized by default and see all processes. If this is not desired, access must be adjusted in the project settings. By default, project access is set to "Open", if not all licensed persons should see the tasks in the project, the authorized persons must all be included in the project and the project access must be changed to "Private."

Default Permission Settings in Confluence

In Confluence, it is defined in the admin area under "Area permissions" which groups should be authorized in a new area by default. By default, Atlassian stores the confluence-users group, which is also responsible for granting licenses to users and therefore corresponds to the "all logged-in users" mentioned above.

If an area has already been created and sensitive data is also to be maintained in it, the authorizations can be adjusted at any time in the area settings under Authorizations. Groups or even individual people can be removed or added.

If new areas are regularly created which should not be accessible to all people, it is worthwhile to adjust this default setting and, for example, to store no group or only the Confluence administrators group.

Finally, an important detail about the confluence-administrators group: all people in this group automatically receive reading rights to all content, regardless of whether they are authorized or not. If your Confluence contains sensitive content that the admins should also not have access to, I recommend the following:

Create a new group (e.g. confluence-system-admins), which has the same global authorization as the confluence-administrators group
Include everyone who should have Confluence admin rights in this new group
Removes everyone from the confluence-administrators group and ensures that this group remains empty

Are you not sure how to best implement what you have read in your organization? Our experts are happy to help you. Together with you, we analyze your security and permission settings and adapt them optimally to your organization and needs. This protects your sensitive information and ensures that only the people you want have access to your data. If you need assistance or have any questions or suggestions, feel free to write to us via chat or at: info@linkyard.ch. We look forward to hearing from you.

Linkyard has already successfully established itself in the first half of the financial year and is making a profit

Linkyard has already successfully established itself in the first half of the financial year and is making a profit

Linkyard has already successfully established itself in the first half of the financial year and is making a profit

Vanda Mäder

Atlassian standard permissions: How do I protect my sensitive data?

Approved domains in the Atlassian cloud

My tips

Tip 1: Read pop-ups

Tip 2: Check approved domains

Tip 3: Respond to notifications

Default permissions in Jira

Especially in the cloud: Team Managed Projects

Default Permission Settings in Confluence

More posts from us

How the world traveler Andreas found linkyard

Two ways to switch to the Atlassian Cloud more cheaply

We warmly welcome sports enthusiast and family man Fabio

Offerings

Webpage

Utility

Contact