Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Open Question about configurations and drift

Hello fellow admins,

I have an open question for the community... How are other admins are keeping an eye on, or better yet managing, configuration drift, especially for those in regulated industries? For example, is your instance validated, or are you otherwise required to track configurations (e.g., workflows, permissions, fields, etc.) through a validated system to prove state and or prove your configs aren't drifting. If so, how are you doing that? What tools are you using (Microsoft Suite, internally developed, 3rd party apps, etc.)?

I'd love to hear from other admins in the cloud space, maybe even connect to share ideas and solutions.

9 comments

Aaron Morris
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
July 6, 2026

Hi @Gabriel Roth -- I have experience with this in the life sciences industry.  I recommend third-party apps for this purpose.  Currently, I am using Revyz. In the past, I've used Salto. There may be other solutions I haven't tried.

Tools like those provide a lot of helpful functionality to support configuration management. In regard to configuration drift specifically, you can capture baselines (snapshots) of your configurations and compare them against the current state at any time.

Like # people like this
Susan Waldrip
Community Champion
July 6, 2026

Hi @Gabriel Roth , good discussion question. Like @Aaron Morris , I also use Revyz/Spin.ai Command Center for Jira, which actually has configuration drift-specific tools and other tools to help admins review, identify, and manage our configurations. You might check whichever 3rd-party your org uses, it probably has helpful tools. I'd also suggest reviewing some of the "site hygiene" articles in the Community, here are some of my regular go-to articles:

Good luck!

Like # people like this
Viswanathan Ramachandran
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
July 6, 2026

hi @Gabriel Roth 

In regulated environments, configuration drift is fundamentally a governance challenge, not just a technical one. Rely on controlled change processes, configuration baselines, periodic audits, and evidence-based approvals to maintain platform integrity. 

Large banks generally follow similar governance patterns regardless of whether they’re using Atlassian Cloud or Data Center. The focus is on proving control, traceability, and auditability rather than relying on the platform alone.

 

Like # people like this
Peter Kerrigan
Contributor
July 6, 2026

Hi @Gabriel Roth !

This is exactly what we built Solcoro for (solcoro.com). We track and monitor environment health over time, and our drift analysis tools identify exact changes/drift in your configs; no need to spend hours manually digging.

Happy to showcase the platform if you'd like!

Best,

Peter Kerrigan

Like # people like this
s_gridnevskii
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
July 6, 2026

I think Jira has pretty good REST API. You can keep original configuration in readonly text file and perform audit once per month by forming a new file with curl or a python script and making diff.

I have something similair for project access rights. We are not allowed to add individual users to projects. Script checks users through REST API and if user is added to any project Security team gets notified.

Like # people like this
Josh
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
July 7, 2026

@Gabriel Roth one potential thing to review with your quality / compliance teams is if you need an entire *instance* to be validated or if you can validate specific *spaces*. If you're able to perform a baseline risk assessment at the instance level and then only validate spaces with a higher level of risk, that could save you some time / documentation for the less risky spaces (e.g. general task tracking). You'd still likely want to be cognizant of instance-level settings that could impact all spaces, but hopefully the general concept makes sense.

One warning about the 3rd party apps discussed here - they are fundamentally reliant on Atlassian tooling and APIs to copy / promote configurations. Atlassian is in the process of but hasn't yet fully built out full configuration management capabilities in cloud. In my past evaluations of 3rd party apps, there were some glaring gaps that ended up being dealbreakers. Your mileage may vary.

Like # people like this
Maria Reisinger
Contributor
July 13, 2026

Great thread.

Most tools (and the REST-diff script @s_gridnevskii describes, which is a solid low-cost start) answer the question "has the state changed since my last baseline?" That proves drift happened.

But I keep thinking about the questions this doesn't answer. When an auditor asks "who changed this, and when?", a diff between two baselines simply can't tell you. That's not a flaw in any particular tool, it's the limit of the approach itself. A snapshot is like a photo of a room. Compare two photos and you can see that a chair has moved. You can't see who moved it, when, or whether it was moved five times in between and put back. If the photos look identical, you might even conclude nothing happened at all.

So for me the real question is how to close that gap. Individual snapshots just don't say much on their own if you don't know what actually happened between them. That's the difference between snapshot-based and event-based approaches: one compares states, the other observes changes as they occur. Both have their place. For audit evidence, the event trail is what holds up.

Full disclosure: I'm co-founder of MetaFrazo, where we take the event-based route, so I'm biased. But the distinction matters regardless of tooling. Even @viswanathan ramachandran's point about traceability is really a point about history, not state.

 

Like # people like this
Aaron Morris
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
July 13, 2026

Some answerers are presenting this as an either/or approach.  It's not.

Of course, snapshots alone are not enough, but governance alone is not enough either.  Proper governance gives you a framework for effectively managing changes.  Configuration drift detection helps you prove whether your governance is working. 

In a validated environment, you should use both.

The question presented here was about proving your validated state and that your configurations aren't drifting. An effective change control process--while absolutely critical--doesn't actually answer that question. If an auditor asks "How do you know that all changes are going through the change control process?", you need a mechanism to show that there are no unexpected changes in the environment.

Snapshot-based tools are one effective way to answer that question. :-)

Like Susan Waldrip likes this
s_gridnevskii
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Champions.
July 13, 2026

@Maria Reisinger just check 

https://<your_jira>/rest/auditing/latest/events
https://<your_jira>/rest/api/latest/auditing/record

You don't even need curl or postman, if you are logged in Jira will use your cookies for authentication.

I think Excel can import JSON and convert it into worksheet.


Like Susan Waldrip likes this

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events