NML

Atlassian Security Configuration Guide

Introduction

Atlassian cloud's security configuration can be a little daunting and confusing. This guide will help you navigate some of the intricacies of ensuring people on NML projects are setup correctly.

Products

The first thing to understand is how Atlassian manages users and groups for the Products within the cloud suite. All users and groups are created and managed on the Atlassian site administration portal. It's important to realize however that access to a project depends on both the product access the user/group has, and the project access.

For example: If user "joesoap" belongs to the security group "myproj-developers", that group must be added to the project security settings with the appropriate roles (more on roles later too). That alone is not enough to ensure that "joesoap" will have permissions. This is because "joesoap" will need to also belong to the appropriate Product access group. When creating users, this is generally not a something to be concerned about, as some groups will automatically be assigned to users.

Here are the important Product groups users must belong to in-order to have permissions on a project of that Product type:

  • jira-ops-users - All users that need to have access to Jira Ops projects.
  • jira-users - All users that need to have access to Jira Software projects.
  • confluence-users - All users that need to have access to Confluence projects.
  • service-desk-users - All users that need to have access to Service Desk projects.

There are additional administration groups, but they should not be tampered with or added to.

Project Access Rights

Access to projects must be given via group assignments. Only in extraordinary cases should user be directly given access. Note that one exception are ServiceDesk Customer portal users, who are automatically added by Service Desk.

Groups should be created based on the intended role(s) the members of the group will perform in the project. You can see a list of the available roles on the site configuration for each product type. If a user will be both a Project Manager, and Service Desk Support user, then there should be 2 groups and the user should be added to both groups.

Generally the following groups should be created for each project team, where <PROJECT> is a concise name or acronym of the associated project:

  • <PROJECT>-developers (Developers role)
  • <PROJECT>-project-managers (Project Managers and Project Owner roles)
  • <PROJECT>-testers (QA role)
  • <PROJECT>-support (Service Desk Team role)
  • <PROJECT>-clients (Client View, Client View External and Service Desk Client roles)

Roles give specific permissions to users and group that have the role assigned. Users and groups can have multiple roles, but it's very important not to give all roles to all the different team members.