Hi All,
Greetings for the day!
I reckon there’s a conversation that needs to happen more openly before organizations activate Rovo: what does data hygiene really mean at the permission level, not just the content level?
In several Cloud migration and governance discussions, I’ve seen teams focus heavily on content sensitivity, while spending less time examining the permissions that ultimately govern what Rovo can retrieve.
The Atlassian Graph indexes the permission reality of your site, not the permission intention. Runtime security trimming then enforces that reality at query time for every user.
Some of the areas I’ve been examining include:
Jira permission schemes with overly broad Browse Project grants
Confluence spaces that still allow authenticated-user or anonymous access
Page-level restrictions that have drifted over time
Group memberships that accumulate access through multiple inheritance paths
Legacy permissions carried forward from Server or Data Center migrations
I’m curious what others are including in their Rovo pre-flight reviews.
Have you identified specific Jira permission patterns that create unexpectedly broad visibility once Rovo is enabled?
Has anyone found an effective way to simulate what a specific user could retrieve through Rovo before a wider rollout?
Interested to hear what governance, platform engineering, and migration teams are seeing in practice.
