⚙️

Atlassian Administrator

Administer Jira and Confluence at scale — user management, permission schemes, SSO integration, security configuration, and disaster recovery planning.

by @alirezarezvani · MIT New

Built for: Developers

What this skill does

Manage organization-wide settings and user access across Jira and Confluence to securely onboard new members, configure permissions, and safely offboard employees without losing project ownership. Reach for this skill whenever you need to update admin settings, manage groups, or enforce security policies across your organization.

@alirezarezvani · Productivity

view on github ↗

name: “atlassian-admin” description: Atlassian Administrator for managing and organizing Atlassian products (Jira, Confluence, Bitbucket, Trello), users, permissions, security, integrations, system configuration, and org-wide governance. Use when asked to add users to Jira, change Confluence permissions, configure access control, update admin settings, manage Atlassian groups, set up SSO, install marketplace apps, review security policies, or handle any org-wide Atlassian administration task.

Atlassian Administrator Expert

Workflows

User Provisioning

Create user account: admin.atlassian.com > User management > Invite users
- REST API: POST /rest/api/3/user with {"emailAddress": "...", "displayName": "...","products": [...]}
Add to appropriate groups: admin.atlassian.com > User management > Groups > [group] > Add members
Assign product access (Jira, Confluence) via admin.atlassian.com > Products > [product] > Access
Configure default permissions per group scheme
Send welcome email with onboarding info
NOTIFY: Relevant team leads of new member
VERIFY: Confirm user appears active at admin.atlassian.com/o/{orgId}/users and can log in

User Deprovisioning

CRITICAL: Audit user’s owned content and tickets
- Jira: GET /rest/api/3/search?jql=assignee={accountId} to find open issues
- Confluence: GET /wiki/rest/api/user/{accountId}/property to find owned spaces/pages
Reassign ownership of:
- Jira projects: Project settings > People > Change lead
- Confluence spaces: Space settings > Overview > Edit space details
- Open issues: bulk reassign via Jira > Issues > Bulk change
- Filters and dashboards: transfer via User management > [user] > Managed content
Remove from all groups: admin.atlassian.com > User management > [user] > Groups
Revoke product access
Deactivate account: admin.atlassian.com > User management > [user] > Deactivate
- REST API: DELETE /rest/api/3/user?accountId={accountId}
VERIFY: Confirm GET /rest/api/3/user?accountId={accountId} returns "active": false
Document deprovisioning in audit log
USE: Jira Expert to reassign any remaining issues

Group Management

Create groups: admin.atlassian.com > User management > Groups > Create group
- REST API: POST /rest/api/3/group with {"name": "..."}
- Structure by: Teams (engineering, product, sales), Roles (admins, users, viewers), Projects (project-alpha-team)
Define group purpose and membership criteria (document in Confluence)
Assign default permissions per group
Add users to appropriate groups
VERIFY: Confirm group members via GET /rest/api/3/group/member?groupName={name}
Regular review and cleanup (quarterly)
USE: Confluence Expert to document group structure

Permission Scheme Design

Jira Permission Schemes (Jira Settings > Issues > Permission Schemes):

Public Project: All users can view, members can edit
Team Project: Team members full access, stakeholders view
Restricted Project: Named individuals only
Admin Project: Admins only

Confluence Permission Schemes (Confluence Admin > Space permissions):

Public Space: All users view, space members edit
Team Space: Team-specific access
Personal Space: Individual user only
Restricted Space: Named individuals and groups

Best Practices:

Use groups, not individual permissions
Principle of least privilege
Regular permission audits
Document permission rationale

SSO Configuration

Choose identity provider (Okta, Azure AD, Google)
Configure SAML settings: admin.atlassian.com > Security > SAML single sign-on > Add SAML configuration
- Set Entity ID, ACS URL, and X.509 certificate from IdP
Test SSO with admin account (keep password login active during test)
Test with regular user account
Enable SSO for organization
Enforce SSO: admin.atlassian.com > Security > Authentication policies > Enforce SSO
Configure SCIM for auto-provisioning: admin.atlassian.com > User provisioning > [IdP] > Enable SCIM
VERIFY: Confirm SSO flow succeeds and audit logs show saml.login.success events
Monitor SSO logs: admin.atlassian.com > Security > Audit log > filter: SSO

Marketplace App Management

Evaluate app need and security: check vendor’s security self-assessment at marketplace.atlassian.com
Review vendor security documentation (penetration test reports, SOC 2)
Test app in sandbox environment
Purchase or request trial: admin.atlassian.com > Billing > Manage subscriptions
Install app: admin.atlassian.com > Products > [product] > Apps > Find new apps
Configure app settings per vendor documentation
Train users on app usage
VERIFY: Confirm app appears in GET /rest/plugins/1.0/ and health check passes
Monitor app performance and usage; review annually for continued need

System Performance Optimization

Jira (Jira Settings > System):

Archive old projects: Project settings > Archive project
Reindex: Jira Settings > System > Indexing > Full re-index
Clean up unused workflows and schemes: Jira Settings > Issues > Workflows
Monitor queue/thread counts: Jira Settings > System > System info

Confluence (Confluence Admin > Configuration):

Archive inactive spaces: Space tools > Overview > Archive space
Remove orphaned pages: Confluence Admin > Orphaned pages
Monitor index and cache: Confluence Admin > Cache management

Monitoring Cadence:

Daily health checks: admin.atlassian.com > Products > [product] > Health
Weekly performance reports
Monthly capacity planning
Quarterly optimization reviews

Integration Setup

Common Integrations:

Slack: Jira Settings > Apps > Slack integration — notifications for Jira and Confluence
GitHub/Bitbucket: Jira Settings > Apps > DVCS accounts — link commits to issues
Microsoft Teams: admin.atlassian.com > Apps > Microsoft Teams
Zoom: Available via Marketplace app zoom-for-jira
Salesforce: Via Marketplace app salesforce-connector

Configuration Steps:

Review integration requirements and OAuth scopes needed
Configure OAuth or API authentication (store tokens in secure vault, not plain text)
Map fields and data flows
Test integration thoroughly with sample data
Document configuration in Confluence runbook
Train users on integration features
VERIFY: Confirm webhook delivery via Jira Settings > System > WebHooks > [webhook] > Test
Monitor integration health via app-specific dashboards

Global Configuration

Jira Global Settings (`Jira Settings > Issues`)

Issue Types: Create and manage org-wide issue types; define issue type schemes; standardize across projects Workflows: Create global workflow templates via Workflows > Add workflow; manage workflow schemes Custom Fields: Create org-wide custom fields at Custom fields > Add custom field; manage field configurations and context Notification Schemes: Configure default notification rules; create custom notification schemes; manage email templates

Confluence Global Settings (`Confluence Admin`)

Blueprints & Templates: Create org-wide templates at Configuration > Global Templates and Blueprints; manage blueprint availability Themes & Appearance: Configure org branding at Configuration > Themes; customize logos and colors Macros: Enable/disable macros at Configuration > Macro usage; configure macro permissions

Security Settings (`admin.atlassian.com > Security`)

Authentication:

Password policies: Security > Authentication policies > Edit
Session timeout: Security > Session duration
API token management: Security > API token controls

Data Residency: Configure data location at admin.atlassian.com > Data residency > Pin products

Audit Logs: admin.atlassian.com > Security > Audit log

Enable comprehensive logging; export via GET /admin/v1/orgs/{orgId}/audit-log
Retain per policy (minimum 7 years for SOC 2/GDPR compliance)

Governance & Policies

Access Governance

Quarterly review of all user access: admin.atlassian.com > User management > Export users
Verify user roles and permissions; remove inactive users
Limit org admins to 2–3 individuals; audit admin actions monthly
Require MFA for all admins: Security > Authentication policies > Require 2FA

Naming Conventions

Jira: Project keys 3–4 uppercase letters (PROJ, WEB); issue types Title Case; custom fields prefixed (CF: Story Points) Confluence: Spaces use Team/Project prefix (TEAM: Engineering); pages descriptive and consistent; labels lowercase, hyphen-separated

Change Management

Major Changes: Announce 2 weeks in advance; test in sandbox; create rollback plan; execute during off-peak; post-implementation review Minor Changes: Announce 48 hours in advance; document in change log; monitor for issues

Disaster Recovery

Backup Strategy

Jira & Confluence: Daily automated backups; weekly manual verification; 30-day retention; offsite storage

Trigger manual backup: Jira Settings > System > Backup system / Confluence Admin > Backup and Restore

Recovery Testing: Quarterly recovery drills; document procedures; measure RTO and RPO

Incident Response

Severity Levels:

P1 (Critical): System down — respond in 15 min
P2 (High): Major feature broken — respond in 1 hour
P3 (Medium): Minor issue — respond in 4 hours
P4 (Low): Enhancement — respond in 24 hours

Response Steps:

Acknowledge and log incident
Assess impact and severity
Communicate status to stakeholders
Investigate root cause (check admin.atlassian.com > Products > [product] > Health and Atlassian Status Page)
Implement fix
VERIFY: Confirm resolution via affected user test and health check
Post-mortem and lessons learned

Metrics & Reporting

System Health: Active users (daily/weekly/monthly), storage utilization, API rate limits, integration health, response times

Export via: GET /admin/v1/orgs/{orgId}/users for user counts; product-specific analytics dashboards

Usage Analytics: Most active projects/spaces, content creation trends, user engagement, search patterns Compliance Metrics: User access review completion, security audit findings, failed login attempts, API token usage

Decision Framework & Handoff Protocols

Escalate to Atlassian Support: System outage, performance degradation org-wide, data loss/corruption, license/billing issues, complex migrations

Delegate to Product Experts:

Jira Expert: Project-specific configuration
Confluence Expert: Space-specific settings
Scrum Master: Team workflow needs
Senior PM: Strategic planning input

Involve Security Team: Security incidents, unusual access patterns, compliance audit preparation, new integration security review

TO Jira Expert: New global workflows, custom fields, permission schemes, or automation capabilities available TO Confluence Expert: New global templates, space permission schemes, blueprints, or macros configured TO Senior PM: Usage analytics, capacity planning insights, cost optimization, security compliance status TO Scrum Master: Team access provisioned, board configuration options, automation rules, integrations enabled FROM All Roles: User access requests, permission changes, app installation requests, configuration support, incident reports

Atlassian MCP Integration

Primary Tools: Jira MCP, Confluence MCP

Admin Operations:

User and group management via API
Bulk permission updates
Configuration audits
Usage reporting
System health monitoring
Automated compliance checks

Integration Points:

Support all roles with admin capabilities
Enable Jira Expert with global configurations
Provide Confluence Expert with template management
Ensure Senior PM has visibility into org health
Enable Scrum Master with team provisioning

{
  "permissionScheme": {
    "name": "Standard Project Permission Scheme",
    "description": "Default permission scheme for standard projects. Assigns permissions based on project roles.",
    "version": "1.0",
    "lastUpdated": "YYYY-MM-DD",
    "owner": "IT Admin Team"
  },
  "roles": {
    "projectAdmin": {
      "description": "Full project administration including configuration and user management",
      "typicalGroups": ["project-leads", "engineering-managers"]
    },
    "developer": {
      "description": "Create and manage issues, transitions, and attachments",
      "typicalGroups": ["dept-engineering", "dept-product"]
    },
    "user": {
      "description": "View issues, add comments, and create basic issues",
      "typicalGroups": ["org-all-employees"]
    },
    "viewer": {
      "description": "Read-only access to project issues and boards",
      "typicalGroups": ["stakeholders", "external-contractors"]
    }
  },
  "permissions": {
    "project": {
      "ADMINISTER_PROJECTS": {
        "description": "Manage project settings, roles, and permissions",
        "grantedTo": ["projectAdmin"]
      },
      "BROWSE_PROJECTS": {
        "description": "View the project and its issues",
        "grantedTo": ["projectAdmin", "developer", "user", "viewer"]
      },
      "VIEW_DEV_TOOLS": {
        "description": "View development panel (commits, branches, PRs)",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "VIEW_READONLY_WORKFLOW": {
        "description": "View read-only workflow",
        "grantedTo": ["projectAdmin", "developer", "user", "viewer"]
      }
    },
    "issues": {
      "CREATE_ISSUES": {
        "description": "Create new issues in the project",
        "grantedTo": ["projectAdmin", "developer", "user"]
      },
      "EDIT_ISSUES": {
        "description": "Edit issue fields",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "DELETE_ISSUES": {
        "description": "Delete issues permanently",
        "grantedTo": ["projectAdmin"]
      },
      "ASSIGN_ISSUES": {
        "description": "Assign issues to team members",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "ASSIGNABLE_USER": {
        "description": "Be assigned to issues",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "CLOSE_ISSUES": {
        "description": "Close/resolve issues",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "RESOLVE_ISSUES": {
        "description": "Set issue resolution",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "TRANSITION_ISSUES": {
        "description": "Transition issues through workflow",
        "grantedTo": ["projectAdmin", "developer", "user"]
      },
      "LINK_ISSUES": {
        "description": "Create and remove issue links",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "MOVE_ISSUES": {
        "description": "Move issues between projects",
        "grantedTo": ["projectAdmin"]
      },
      "SCHEDULE_ISSUES": {
        "description": "Set due dates on issues",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "SET_ISSUE_SECURITY": {
        "description": "Set security level on issues",
        "grantedTo": ["projectAdmin"]
      }
    },
    "comments": {
      "ADD_COMMENTS": {
        "description": "Add comments to issues",
        "grantedTo": ["projectAdmin", "developer", "user"]
      },
      "EDIT_ALL_COMMENTS": {
        "description": "Edit any comment",
        "grantedTo": ["projectAdmin"]
      },
      "EDIT_OWN_COMMENTS": {
        "description": "Edit own comments",
        "grantedTo": ["projectAdmin", "developer", "user"]
      },
      "DELETE_ALL_COMMENTS": {
        "description": "Delete any comment",
        "grantedTo": ["projectAdmin"]
      },
      "DELETE_OWN_COMMENTS": {
        "description": "Delete own comments",
        "grantedTo": ["projectAdmin", "developer", "user"]
      }
    },
    "attachments": {
      "CREATE_ATTACHMENTS": {
        "description": "Attach files to issues",
        "grantedTo": ["projectAdmin", "developer", "user"]
      },
      "DELETE_ALL_ATTACHMENTS": {
        "description": "Delete any attachment",
        "grantedTo": ["projectAdmin"]
      },
      "DELETE_OWN_ATTACHMENTS": {
        "description": "Delete own attachments",
        "grantedTo": ["projectAdmin", "developer", "user"]
      }
    },
    "worklogs": {
      "WORK_ON_ISSUES": {
        "description": "Log work on issues",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "EDIT_ALL_WORKLOGS": {
        "description": "Edit any worklog",
        "grantedTo": ["projectAdmin"]
      },
      "EDIT_OWN_WORKLOGS": {
        "description": "Edit own worklogs",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "DELETE_ALL_WORKLOGS": {
        "description": "Delete any worklog",
        "grantedTo": ["projectAdmin"]
      },
      "DELETE_OWN_WORKLOGS": {
        "description": "Delete own worklogs",
        "grantedTo": ["projectAdmin", "developer"]
      }
    }
  },
  "projectMappings": [
    {
      "projectKey": "EXAMPLE",
      "projectName": "Example Project",
      "scheme": "Standard Project Permission Scheme",
      "roleAssignments": {
        "projectAdmin": ["project-leads"],
        "developer": ["team-example-devs"],
        "user": ["org-all-employees"],
        "viewer": ["stakeholders-example"]
      }
    }
  ],
  "notes": {
    "usage": "Copy this template and customize role assignments per project. Use group names that match your Atlassian groups.",
    "review": "Review permission scheme assignments quarterly as part of access review.",
    "changes": "Any changes to permission schemes should be documented and approved by IT Admin."
  }
}

Atlassian Cloud Security Hardening Guide

Overview

This guide provides a comprehensive security hardening checklist for Atlassian Cloud products (Jira, Confluence, Bitbucket). It covers identity management, access controls, data protection, and monitoring practices aligned with enterprise security standards.

Identity & Authentication

SSO / SAML Setup

Implementation Steps:

Verify your domain in Atlassian Admin (admin.atlassian.com)
Claim all company email accounts
Configure SAML SSO with your identity provider (Okta, Azure AD, Google Workspace)
Set authentication policy to enforce SSO for all managed accounts
Test with a pilot group before full rollout
Disable password-based login for managed accounts

Configuration Checklist:

Domain verified and accounts claimed
SAML IdP configured with correct entity ID and SSO URL
Attribute mapping: email, displayName, groups
Single Logout (SLO) configured
Authentication policy enforcing SSO
Fallback access configured for emergency admin accounts
SCIM provisioning enabled for automatic user sync

Two-Factor Authentication (2FA)

Enforcement Policy:

2FA required for all managed accounts
Enforce via authentication policy (not just recommended)
Hardware security keys (FIDO2/WebAuthn) preferred for admin accounts
TOTP (authenticator app) as minimum for all users
SMS-based 2FA disabled (SIM swap vulnerability)
Recovery codes generated and stored securely

Session Management

Session timeout set to 8 hours of inactivity (maximum)
Absolute session timeout: 24 hours
Require re-authentication for sensitive operations
Monitor concurrent sessions per user
Enforce session termination on password change

Access Controls

IP Allowlisting

Configuration:

Enable IP allowlisting for organization
Add corporate office IP ranges
Add VPN exit node IP addresses
Add CI/CD server IPs for API access
Test access from all approved locations
Document approved IP ranges with justification
Review IP allowlist quarterly

Exceptions:

Mobile access may require VPN or MDM solution
Remote workers need VPN or conditional access policies
API integrations need stable IP ranges

API Token Management

Policies:

Inventory all API tokens in use
Set maximum token lifetime (90 days recommended)
Require token rotation on schedule
Use service accounts for integrations (not personal tokens)
Monitor API token usage patterns
Revoke tokens immediately on employee departure
Document purpose and owner for each token

Best Practices:

Use OAuth 2.0 (3LO) for user-context integrations
Use API tokens only for service-to-service
Store tokens in secrets management (never in code)
Implement least-privilege scopes for OAuth apps

Permission Model

Review global permissions quarterly
Use groups for permission assignment (not individual users)
Implement role-based access for Jira projects
Restrict Confluence space admin to designated owners
Limit Jira system admin to 2-3 people
Audit "anyone" or "logged in users" permissions
Remove direct user permissions where groups exist

Audit & Monitoring

Audit Log Configuration

What to Monitor:

User authentication events (login, logout, failed attempts)
Permission changes (project, space, global)
User account changes (creation, deactivation, group changes)
API token creation and revocation
App installations and updates
Data export operations
Admin configuration changes

Setup Steps:

Enable organization audit log
Configure audit log retention (minimum 1 year)
Set up automated export to SIEM (Splunk, Datadog, etc.)
Create alerts for suspicious patterns
Schedule monthly audit log review
Document incident response procedures for alerts

Alerting Rules

Critical Alerts (Immediate Response):

Multiple failed login attempts (>5 in 10 minutes)
Admin permission grants to unexpected users
API token created by non-service accounts
Bulk data export or deletion
New third-party app installed with broad permissions

Warning Alerts (Same-Day Review):

New admin users added
Permission scheme changes
Authentication policy modifications
IP allowlist changes
User deactivation (verify it is expected)

Data Protection

Data Residency

Configure data residency realm (US, EU, AU, etc.)
Verify product data pinned to selected region
Document data residency for compliance audits
Review data residency coverage (some metadata may be global)
Monitor for new residency options from Atlassian

Encryption

Verify encryption at rest (AES-256, managed by Atlassian)
Verify encryption in transit (TLS 1.2+)
Review Atlassian's encryption key management practices
Consider BYOK (Bring Your Own Key) for Atlassian Guard Premium

Data Loss Prevention

Configure content restrictions for sensitive pages/issues
Implement classification labels (public, internal, confidential)
Restrict file attachment types if needed
Monitor bulk exports and downloads
Set up DLP rules for sensitive data patterns (PII, credentials)

Mobile Device Management

Mobile Access Controls

Require MDM enrollment for mobile Atlassian apps
Enforce device encryption
Require screen lock with biometrics or PIN
Enable remote wipe capability
Block rooted/jailbroken devices
Restrict copy/paste to managed apps
Set app-level PIN for Atlassian apps

Mobile Policies

Define approved mobile devices/OS versions
Enforce automatic app updates
Configure offline data access limits
Set maximum offline cache duration
Review mobile access logs monthly

Third-Party App Security

App Review Process

Maintain approved app list (whitelist)
Review app permissions before installation
Verify app is Atlassian Marketplace certified
Check app vendor security certifications
Assess data access scope (read-only vs read-write)
Review app privacy policy
Document app owner and business justification

App Governance

Audit installed apps quarterly
Remove unused apps (no usage in 90 days)
Monitor app permission changes
Restrict app installation to admins only
Review Atlassian Guard app access policies
Set up alerts for new app installations

Compliance Documentation

Required Documentation

Security policy for Atlassian Cloud usage
Access control matrix (roles, permissions, justification)
Incident response plan for Atlassian security events
Data classification policy applied to Atlassian content
Third-party app risk assessments
Annual security review report

Compliance Frameworks

SOC 2: Map Atlassian controls to Trust Service Criteria
ISO 27001: Align with Annex A controls for cloud services
GDPR: Configure data residency, right to deletion, DPAs
HIPAA: Review BAA availability, encryption, access controls

Hardening Schedule

Task	Frequency	Owner
Permission audit	Quarterly	IT Admin
API token rotation	Every 90 days	Integration owners
App review	Quarterly	IT Admin
Audit log review	Monthly	Security team
IP allowlist review	Quarterly	IT Admin
Authentication policy review	Semi-annually	Security team
Full security assessment	Annually	Security team
User access review	Quarterly	Managers + IT Admin
Data residency verification	Annually	Compliance
Mobile device audit	Quarterly	IT Admin

User Provisioning & Lifecycle Management Checklist

Overview

This checklist covers the complete user lifecycle in Atlassian Cloud products, from onboarding through offboarding. Consistent provisioning ensures security, compliance, and a smooth user experience.

Onboarding Steps

Pre-Provisioning

Receive approved access request (ticket or HR system trigger)
Verify employee record in HR system
Determine role-based access level (see Role Templates below)
Identify required Atlassian products (Jira, Confluence, Bitbucket)
Identify required project/space access

Account Creation

User account auto-provisioned via SCIM (preferred) or manually created
Email domain matches verified organization domain
SSO authentication verified (user can log in via IdP)
2FA enrollment confirmed
Correct product access assigned (Jira, Confluence, Bitbucket)

Group Membership

Add to organization-level groups (e.g., all-employees)
Add to department group (e.g., engineering, product, marketing)
Add to team-specific groups (e.g., team-platform, team-mobile)
Add to project groups as needed (e.g., project-alpha-members)
Verify group membership grants correct permissions

Product Configuration

Jira: Add to correct project roles (Developer, User, Admin)
Jira: Assign to correct board(s)
Jira: Set default dashboard if applicable
Confluence: Grant access to relevant spaces
Confluence: Add to space groups with appropriate permission level
Bitbucket: Grant repository access per team
Bitbucket: Configure branch permissions

Welcome & Training

Send welcome email with access details and key links
Share Confluence onboarding page (getting started guide)
Assign onboarding buddy for Atlassian tool questions
Schedule optional training session for new users
Provide link to internal Atlassian usage guidelines

Role-Based Access Templates

Developer

Jira: Project Developer role (create, edit, transition issues)
Confluence: Team space editor, documentation spaces viewer
Bitbucket: Repository write access for team repos

Product Manager

Jira: Project Admin role (manage boards, workflows, components)
Confluence: Product spaces editor, all team spaces viewer
Bitbucket: Repository read access (optional)

Designer

Jira: Project User role (view, comment, transition)
Confluence: Design space editor, product spaces editor
Bitbucket: No access (unless needed)

Engineering Manager

Jira: Project Admin for managed projects, viewer for others
Confluence: Team space admin, all spaces viewer
Bitbucket: Repository admin for team repos

Executive / Stakeholder

Jira: Viewer role on strategic projects, dashboard access
Confluence: Viewer on relevant spaces
Bitbucket: No access

Contractor / External

Jira: Project User role, limited to specific projects
Confluence: Viewer on specific spaces only (no edit)
Bitbucket: Repository read access, specific repos only
Additional: Set account expiration date, restrict IP access

Group Membership Standards

Naming Convention

org-{company}          # Organization-wide groups
dept-{department}      # Department groups
team-{team-name}       # Team-specific groups
project-{project}      # Project-scoped groups
role-{role}            # Role-based groups (role-admin, role-viewer)

Standard Groups

Group	Purpose	Products
`org-all-employees`	All full-time employees	Jira, Confluence
`dept-engineering`	All engineers	Jira, Confluence, Bitbucket
`dept-product`	All product team	Jira, Confluence
`dept-marketing`	All marketing team	Confluence
`role-jira-admins`	Jira administrators	Jira
`role-confluence-admins`	Confluence administrators	Confluence
`role-org-admins`	Organization administrators	All

Offboarding Procedure

Immediate Actions (Day of Departure)

Deactivate user account in Atlassian (or via IdP/SCIM)
Revoke all API tokens associated with the user
Revoke all OAuth app authorizations
Transfer ownership of critical Confluence pages
Reassign Jira issues (open/in-progress items)
Remove from all groups
Document access removal in offboarding ticket

Within 24 Hours

Verify account is fully deactivated (cannot log in)
Check for shared credentials or service accounts
Review audit log for recent activity
Transfer Confluence space ownership if applicable
Update Jira project leads/component leads if applicable
Remove from any Atlassian Marketplace vendor accounts

Within 7 Days

Verify no lingering sessions or cached access
Review integrations the user may have set up
Check for automation rules owned by the user
Update team dashboards and filters
Confirm with manager that all transfers are complete

Data Retention

User content (pages, issues, comments) retained per policy
Personal spaces archived or transferred
Account marked as deactivated (not deleted) for audit trail
Data deletion request processed if required (GDPR)

Quarterly Access Reviews

Review Process

Generate user access report from Atlassian Admin
Distribute to managers for team verification
Managers confirm or flag each user's access level
IT Admin processes approved changes
Document review completion for compliance

Review Checklist

All active accounts match current employee list
No accounts for departed employees
Group memberships align with current roles
Admin access limited to approved administrators
External/contractor accounts have valid expiration dates
Service accounts documented with current owners
Unused accounts (no login in 90 days) flagged for review

Compliance Documentation

Access review completion date recorded
Manager sign-off captured (email or ticket)
Changes made during review documented
Exceptions documented with justification and approval
Report filed for audit purposes
Next review date scheduled

Automation Opportunities

SCIM Provisioning

Automatically create/deactivate accounts based on IdP changes
Sync group membership from IdP groups
Reduce manual provisioning errors
Ensure immediate deactivation on termination

Workflow Automation

Trigger onboarding checklist from HR system event
Auto-assign to groups based on department/role attributes
Send welcome messages via Confluence automation
Schedule access reviews via Jira recurring tickets

Monitoring

Alert on accounts without 2FA after 7 days
Alert on admin group changes
Weekly report of new and deactivated accounts
Monthly stale account report (no login in 90 days)

#!/usr/bin/env python3
"""
Permission Audit Tool

Analyzes Atlassian permission schemes for security issues. Checks for
over-permissioned groups, direct user permissions, missing restrictions on
sensitive actions, inconsistencies across projects, and compliance gaps.

Usage:
    python permission_audit_tool.py permissions.json
    python permission_audit_tool.py permissions.json --format json
"""

import argparse
import json
import sys
from typing import Any, Dict, List, Optional, Set


# ---------------------------------------------------------------------------
# Audit Configuration
# ---------------------------------------------------------------------------

SENSITIVE_PERMISSIONS = {
    "administer_project",
    "administer_jira",
    "delete_issues",
    "delete_all_comments",
    "delete_all_attachments",
    "manage_watchers",
    "modify_reporter",
    "bulk_change",
    "system_admin",
    "manage_group_filter_subscriptions",
}

RECOMMENDED_GROUP_ONLY_PERMISSIONS = {
    "browse_projects",
    "create_issues",
    "edit_issues",
    "transition_issues",
    "assign_issues",
    "resolve_issues",
    "close_issues",
    "add_comments",
    "edit_all_comments",
}

SEVERITY_WEIGHTS = {
    "critical": 25,
    "high": 15,
    "medium": 8,
    "low": 3,
    "info": 1,
}


# ---------------------------------------------------------------------------
# Audit Checks
# ---------------------------------------------------------------------------

def check_over_permissioned_groups(
    schemes: List[Dict[str, Any]],
) -> List[Dict[str, str]]:
    """Check for groups with overly broad admin access."""
    findings = []

    for scheme in schemes:
        scheme_name = scheme.get("name", "Unknown Scheme")
        grants = scheme.get("grants", [])

        group_permissions = {}
        for grant in grants:
            group = grant.get("group", "")
            permission = grant.get("permission", "").lower()
            if group:
                if group not in group_permissions:
                    group_permissions[group] = set()
                group_permissions[group].add(permission)

        for group, perms in group_permissions.items():
            admin_perms = perms & SENSITIVE_PERMISSIONS
            if len(admin_perms) >= 3:
                findings.append({
                    "rule": "over_permissioned_group",
                    "severity": "high",
                    "scheme": scheme_name,
                    "group": group,
                    "message": f"Group '{group}' has {len(admin_perms)} sensitive permissions "
                               f"in scheme '{scheme_name}': {', '.join(sorted(admin_perms))}. "
                               f"Review if all are necessary.",
                })

            if "system_admin" in perms or "administer_jira" in perms:
                findings.append({
                    "rule": "admin_access_warning",
                    "severity": "critical",
                    "scheme": scheme_name,
                    "group": group,
                    "message": f"Group '{group}' has system/Jira admin access in '{scheme_name}'. "
                               f"Ensure this is strictly necessary and membership is limited.",
                })

    return findings


def check_direct_user_permissions(
    schemes: List[Dict[str, Any]],
) -> List[Dict[str, str]]:
    """Check for permissions granted directly to users instead of groups."""
    findings = []

    for scheme in schemes:
        scheme_name = scheme.get("name", "Unknown Scheme")
        grants = scheme.get("grants", [])

        for grant in grants:
            user = grant.get("user", "")
            permission = grant.get("permission", "")

            if user and not grant.get("group"):
                severity = "high" if permission.lower() in SENSITIVE_PERMISSIONS else "medium"
                findings.append({
                    "rule": "direct_user_permission",
                    "severity": severity,
                    "scheme": scheme_name,
                    "user": user,
                    "message": f"User '{user}' has direct permission '{permission}' in '{scheme_name}'. "
                               f"Use groups instead for maintainability and audit clarity.",
                })

    return findings


def check_missing_restrictions(
    schemes: List[Dict[str, Any]],
) -> List[Dict[str, str]]:
    """Check for missing restrictions on sensitive actions."""
    findings = []

    for scheme in schemes:
        scheme_name = scheme.get("name", "Unknown Scheme")
        grants = scheme.get("grants", [])

        granted_permissions = set()
        for grant in grants:
            granted_permissions.add(grant.get("permission", "").lower())

        # Check if delete permissions are unrestricted
        delete_perms = {"delete_issues", "delete_all_comments", "delete_all_attachments"}
        unrestricted_deletes = delete_perms & granted_permissions

        for grant in grants:
            perm = grant.get("permission", "").lower()
            group = grant.get("group", "")
            if perm in delete_perms and group:
                # Check if granted to broad groups
                broad_groups = {"users", "everyone", "all-users", "jira-users", "jira-software-users"}
                if group.lower() in broad_groups:
                    findings.append({
                        "rule": "unrestricted_delete",
                        "severity": "critical",
                        "scheme": scheme_name,
                        "message": f"Delete permission '{perm}' granted to broad group '{group}' "
                                   f"in '{scheme_name}'. Restrict to admins or leads only.",
                    })

        # Check if admin permissions exist
        admin_perms = {"administer_project", "administer_jira", "system_admin"}
        if not (admin_perms & granted_permissions):
            findings.append({
                "rule": "no_admin_defined",
                "severity": "medium",
                "scheme": scheme_name,
                "message": f"No explicit admin permission defined in '{scheme_name}'. "
                           f"Ensure project administration is properly assigned.",
            })

    return findings


def check_scheme_consistency(
    schemes: List[Dict[str, Any]],
) -> List[Dict[str, str]]:
    """Check for inconsistencies across permission schemes."""
    findings = []

    if len(schemes) < 2:
        return findings

    # Compare permission sets across schemes
    scheme_perms = {}
    for scheme in schemes:
        name = scheme.get("name", "Unknown")
        perms = set()
        for grant in scheme.get("grants", []):
            perms.add(grant.get("permission", "").lower())
        scheme_perms[name] = perms

    # Find schemes with significantly different permission sets
    all_perms = set()
    for perms in scheme_perms.values():
        all_perms |= perms

    scheme_names = list(scheme_perms.keys())
    for i in range(len(scheme_names)):
        for j in range(i + 1, len(scheme_names)):
            name_a = scheme_names[i]
            name_b = scheme_names[j]
            diff = scheme_perms[name_a].symmetric_difference(scheme_perms[name_b])
            if len(diff) > 5:
                findings.append({
                    "rule": "scheme_inconsistency",
                    "severity": "medium",
                    "message": f"Schemes '{name_a}' and '{name_b}' differ significantly "
                               f"({len(diff)} different permissions). Review for intentional differences.",
                })

    return findings


def check_compliance_gaps(
    schemes: List[Dict[str, Any]],
) -> List[Dict[str, str]]:
    """Check for common compliance gaps."""
    findings = []

    for scheme in schemes:
        scheme_name = scheme.get("name", "Unknown Scheme")
        grants = scheme.get("grants", [])

        groups_used = set()
        users_used = set()
        for grant in grants:
            if grant.get("group"):
                groups_used.add(grant["group"])
            if grant.get("user"):
                users_used.add(grant["user"])

        # Check for separation of duties
        admin_groups = set()
        for grant in grants:
            if grant.get("permission", "").lower() in SENSITIVE_PERMISSIONS and grant.get("group"):
                admin_groups.add(grant["group"])

        if len(admin_groups) == 1 and len(groups_used) > 1:
            findings.append({
                "rule": "separation_of_duties",
                "severity": "info",
                "scheme": scheme_name,
                "message": f"Only one group ('{next(iter(admin_groups))}') holds all sensitive permissions "
                           f"in '{scheme_name}'. Consider separating duties across multiple groups.",
            })

        # Check user count
        if len(users_used) > 5:
            findings.append({
                "rule": "too_many_direct_users",
                "severity": "high",
                "scheme": scheme_name,
                "message": f"Scheme '{scheme_name}' has {len(users_used)} direct user grants. "
                           f"Migrate to group-based permissions for better governance.",
            })

    return findings


# ---------------------------------------------------------------------------
# Main Analysis
# ---------------------------------------------------------------------------

def audit_permissions(data: Dict[str, Any]) -> Dict[str, Any]:
    """Run full permission audit."""
    schemes = data.get("schemes", [])

    if not schemes:
        # Try treating the entire input as a single scheme
        if data.get("grants") or data.get("name"):
            schemes = [data]
        else:
            return {
                "risk_score": 0,
                "grade": "invalid",
                "error": "No permission schemes found in input",
                "findings": [],
                "summary": {},
            }

    all_findings = []
    all_findings.extend(check_over_permissioned_groups(schemes))
    all_findings.extend(check_direct_user_permissions(schemes))
    all_findings.extend(check_missing_restrictions(schemes))
    all_findings.extend(check_scheme_consistency(schemes))
    all_findings.extend(check_compliance_gaps(schemes))

    # Calculate risk score (higher = more risk)
    summary = {"critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0}
    total_penalty = 0
    for finding in all_findings:
        severity = finding["severity"]
        summary[severity] = summary.get(severity, 0) + 1
        total_penalty += SEVERITY_WEIGHTS.get(severity, 0)

    risk_score = min(100, total_penalty)
    health_score = max(0, 100 - risk_score)

    if health_score >= 85:
        grade = "excellent"
    elif health_score >= 70:
        grade = "good"
    elif health_score >= 50:
        grade = "fair"
    else:
        grade = "poor"

    # Generate remediation recommendations
    remediations = _generate_remediations(all_findings)

    return {
        "risk_score": risk_score,
        "health_score": health_score,
        "grade": grade,
        "schemes_analyzed": len(schemes),
        "findings": all_findings,
        "summary": summary,
        "remediations": remediations,
    }


def _generate_remediations(findings: List[Dict[str, str]]) -> List[str]:
    """Generate remediation recommendations."""
    remediations = []
    rules_seen = set()

    for finding in findings:
        rule = finding["rule"]
        if rule in rules_seen:
            continue
        rules_seen.add(rule)

        if rule == "over_permissioned_group":
            remediations.append("Review and reduce sensitive permissions for over-permissioned groups. Apply principle of least privilege.")
        elif rule == "admin_access_warning":
            remediations.append("Audit admin group membership. Limit system/Jira admin access to essential personnel only.")
        elif rule == "direct_user_permission":
            remediations.append("Migrate direct user permissions to group-based grants. Create functional groups for common permission sets.")
        elif rule == "unrestricted_delete":
            remediations.append("Restrict delete permissions to project admins or leads. Remove from broad user groups.")
        elif rule == "scheme_inconsistency":
            remediations.append("Standardize permission schemes across projects. Document intentional differences.")
        elif rule == "too_many_direct_users":
            remediations.append("Create groups for users with direct permissions. This simplifies onboarding/offboarding.")
        elif rule == "separation_of_duties":
            remediations.append("Consider splitting admin responsibilities across multiple groups for better separation of duties.")
        elif rule == "no_admin_defined":
            remediations.append("Define explicit admin permissions in each scheme to ensure proper project governance.")

    return remediations


# ---------------------------------------------------------------------------
# Output Formatting
# ---------------------------------------------------------------------------

def format_text_output(result: Dict[str, Any]) -> str:
    """Format results as readable text report."""
    lines = []
    lines.append("=" * 60)
    lines.append("PERMISSION AUDIT REPORT")
    lines.append("=" * 60)
    lines.append("")

    if "error" in result:
        lines.append(f"ERROR: {result['error']}")
        return "\n".join(lines)

    lines.append("AUDIT SUMMARY")
    lines.append("-" * 30)
    lines.append(f"Risk Score: {result['risk_score']}/100 (lower is better)")
    lines.append(f"Health Score: {result['health_score']}/100")
    lines.append(f"Grade: {result['grade'].title()}")
    lines.append(f"Schemes Analyzed: {result['schemes_analyzed']}")
    lines.append("")

    summary = result.get("summary", {})
    lines.append("FINDINGS BY SEVERITY")
    lines.append("-" * 30)
    lines.append(f"Critical: {summary.get('critical', 0)}")
    lines.append(f"High: {summary.get('high', 0)}")
    lines.append(f"Medium: {summary.get('medium', 0)}")
    lines.append(f"Low: {summary.get('low', 0)}")
    lines.append(f"Info: {summary.get('info', 0)}")
    lines.append("")

    findings = result.get("findings", [])
    if findings:
        lines.append("DETAILED FINDINGS")
        lines.append("-" * 30)
        for i, finding in enumerate(findings, 1):
            severity = finding["severity"].upper()
            lines.append(f"{i}. [{severity}] {finding['message']}")
            lines.append(f"   Rule: {finding['rule']}")
            if finding.get("scheme"):
                lines.append(f"   Scheme: {finding['scheme']}")
            lines.append("")

    remediations = result.get("remediations", [])
    if remediations:
        lines.append("REMEDIATION RECOMMENDATIONS")
        lines.append("-" * 30)
        for i, rem in enumerate(remediations, 1):
            lines.append(f"{i}. {rem}")

    return "\n".join(lines)


def format_json_output(result: Dict[str, Any]) -> Dict[str, Any]:
    """Format results as JSON."""
    return result


# ---------------------------------------------------------------------------
# CLI Interface
# ---------------------------------------------------------------------------

def main() -> int:
    """Main CLI entry point."""
    parser = argparse.ArgumentParser(
        description="Audit Atlassian permission schemes for security issues"
    )
    parser.add_argument(
        "permissions_file",
        help="JSON file with permission scheme data",
    )
    parser.add_argument(
        "--format",
        choices=["text", "json"],
        default="text",
        help="Output format (default: text)",
    )

    args = parser.parse_args()

    try:
        with open(args.permissions_file, "r") as f:
            data = json.load(f)

        result = audit_permissions(data)

        if args.format == "json":
            print(json.dumps(format_json_output(result), indent=2))
        else:
            print(format_text_output(result))

        return 0

    except FileNotFoundError:
        print(f"Error: File '{args.permissions_file}' not found", file=sys.stderr)
        return 1
    except json.JSONDecodeError as e:
        print(f"Error: Invalid JSON in '{args.permissions_file}': {e}", file=sys.stderr)
        return 1
    except Exception as e:
        print(f"Error: {e}", file=sys.stderr)
        return 1


if __name__ == "__main__":
    sys.exit(main())

Install this Skill

Skills give your AI agent a consistent, structured approach to this task — better output than a one-off prompt.

npx skills add alirezarezvani/claude-skills --skill project-management/atlassian-admin

Download ZIP

Community skill by @alirezarezvani. Need a walkthrough? See the install guide →

Works with

Claude Code OpenAI Codex CLI Gemini CLI

Prefer no terminal? Download the ZIP and place it manually.

Details

Category: Productivity
License: MIT
Author: @alirezarezvani
Source: GitHub →
Source file: show path
project-management/atlassian-admin/SKILL.md

Atlassian Jira Confluence admin SSO

People who install this also use

🎯

Atlassian Jira Expert

JQL query writing, custom workflow design, automation rules, dashboard configuration, and Jira best practices for software and project teams.

@alirezarezvani

📚

Confluence Expert

Design and manage Confluence knowledge bases — space architecture, page templates, documentation strategy, and making Confluence actually useful for teams.

@alirezarezvani

🪟

MS365 Tenant Manager

Microsoft 365 enterprise administration — user management, security policies, SSO/SAML setup, compliance, and tenant optimization.

@alirezarezvani

Atlassian Administrator

Atlassian Administrator Expert

Workflows

User Provisioning

User Deprovisioning

Group Management

Permission Scheme Design

SSO Configuration

Marketplace App Management

System Performance Optimization

Integration Setup

Global Configuration

Jira Global Settings (Jira Settings > Issues)

Confluence Global Settings (Confluence Admin)

Security Settings (admin.atlassian.com > Security)

Governance & Policies

Access Governance

Naming Conventions

Change Management

Disaster Recovery

Backup Strategy

Incident Response

Metrics & Reporting

Decision Framework & Handoff Protocols

Atlassian MCP Integration

Atlassian Cloud Security Hardening Guide

Overview

Identity & Authentication

SSO / SAML Setup

Two-Factor Authentication (2FA)

Session Management

Access Controls

IP Allowlisting

API Token Management

Permission Model

Audit & Monitoring

Audit Log Configuration

Alerting Rules

Data Protection

Data Residency

Encryption

Data Loss Prevention

Mobile Device Management

Mobile Access Controls

Mobile Policies

Third-Party App Security

App Review Process

App Governance

Compliance Documentation

Required Documentation

Compliance Frameworks

Hardening Schedule

User Provisioning & Lifecycle Management Checklist

Overview

Onboarding Steps

Pre-Provisioning

Account Creation

Group Membership

Product Configuration

Welcome & Training

Role-Based Access Templates

Developer

Product Manager

Designer

Engineering Manager

Executive / Stakeholder

Contractor / External

Group Membership Standards

Naming Convention

Standard Groups

Offboarding Procedure

Immediate Actions (Day of Departure)

Within 24 Hours

Within 7 Days

Data Retention

Quarterly Access Reviews

Review Process

Review Checklist

Compliance Documentation

Automation Opportunities

Jira Global Settings (`Jira Settings > Issues`)

Confluence Global Settings (`Confluence Admin`)

Security Settings (`admin.atlassian.com > Security`)