Explore admin roles and governance in Atlassian Cloud
Learn about key responsibilities, permissions, and workflows to keep your organization secure, compliant, and well-managed.Introduction
As your organization moves from Data Center to Cloud, naturally, you may be curious about the nuances of your new environment and how your admin responsibilities will shift accordingly. This section will go over key responsibilities, permissions, and workflows associated with each Atlassian admin role in Data Center vs. Cloud apps, highlighting each role’s impact on tool configuration, user management, security, and overall governance in Cloud.
Admin roles in Data Center
Admin roles allow organizations to delegate different responsibilities among many admins instead of relying on just one person. What you can access and configure is determined by the type of admin you are. In Data Center, there are three admin roles: System admin, Product admin, and Space admin. See below how these roles relate to admin roles in Cloud:
System admin
The system admin is responsible for managing the physical servers, hardware, and planned/unplanned downtime. They have the same permissions as the product admin, plus access to the hardware, servers, and the ability to modify all system settings.
Product admin (or Jira admin)
The product admin can modify most of the system settings in the app(s) they administer. They can also simultaneously serve as the system admin, as both admin roles have overlapping permissions. Product admins can assign permissions using group control and are able to create new spaces, fields, and users and change workflows.
Project admin
The project admin is assigned to a single person by role assignment in the respective project. They have the capability to modify various configurations of the project.
Extended project administration rights are also available to project admins and allow them to adapt workflows and screens under certain conditions. For example, they can add a status if it is already contained in an active app instance. New statuses cannot be created, and existing statuses cannot be edited. The project admin can also add, rearrange, or remove, but not create, custom fields.
Admin roles in Cloud
Similar to Data Center, there are several types of admin roles in Cloud and it’s possible to have multiple admin roles at the same time. The admin roles you can have and assign to other members within your organization depend on whether you are using the original user management experience or the centralized user management experience within Atlassian Administration.
TIP: Atlassian Administration (admin.atlassian.com) is a centralized app for managing your Cloud organization - from managing user access and adding services to implementing robust security policies and tracking usage and billing.
NOTE: This section only outlines admin roles granted through Atlassian Administration. If you want to know more about other admins, read the documentation for:
Determine which user management experience you have
To check, go to your organization at admin.atlassian.com and select ‘Directory’. If the Users and Groups list is found here, then you are using the centralized user management.
Original
Centralized
Admin roles available in both the original and centralized user management experiences
Organization admin
When you create an organization, you automatically become an organization (or org) admin - the highest level of admin - and can complete any administrative task in Atlassian Administration. We recommend you assign more than one org admin in case one account is lost or compromised.
TIP: Take this learning path to ramp up quickly as an org admin!
Site admin
For the original user management experience, a site admin manages the users, groups, and administration settings of the site they’ve been assigned to (as well as any apps that sit within this site). Site admins have access to any content within their assigned site. The role allows limited access to manage billing.
For the centralized user management experience, a site admin can complete tasks related to the specific site they are administering, including adding new apps to the site and managing apps installed on the site, and they have limited access to manage billing. Site admins in the centralized user management experience cannot manage users or groups.
Read this to learn more about the differences between site admins.
App admin
An app admin can manage administration settings for a specific app. They don’t have access to Atlassian Administration. With the exception of Jira admins, app admins can access the content within the app they administer. It’s possible to be an app admin for one or more Atlassian apps.
Space admin
A space admin can manage administration settings for a specific space. They don’t have access to global or site-wide administration. Rather, space admins control the permissions, content visibility, and configuration within their scope, such as assigning user or group access, updating settings, or customizing the look and feel. They cannot view locked content or override global defaults. It’s possible to be a space admin for one or more spaces.
User access admin
Unlike an organization admin, a user access admin has limited access to Atlassian Administration. Their main task is to manage user access to the apps they administer. For example, an organization might have a user access admin who manages app access for Confluence, and another user access admin who manages app access for Jira.
A user access admin can be assigned to one or more apps, but can’t log in or use those apps. This means user access admins won’t count as billable users for the apps they administer, unless they’re granted an additional role that gives access to that app.
TIP: Read this article to learn which features are available to each admin role in Atlassian Administration.
Keeping governance processes and practices up to date
To effectively manage admin access requests, minimize unauthorized changes, and maintain a compliant administrative environment, consider establishing an approval process for users seeking org, user, app, and space administrative permissions. You can streamline this process by creating a dedicated request type or a user-friendly form where users can provide essential details about the access they require and the purpose behind their request.
Within Atlassian Administration, org admins can also configure user access settings. This allows admins to specify domains that can gain access to apps without an invitation or with an admin’s approval. When configured to require approval, users from that domain can request access to an app and include more details about their request for admins to then approve or deny.
By implementing this process, admins like yourself can stay in control and ensure adherence to your organization's app governance practices.
To keep up with evolving needs, be sure to regularly review and update your app governance policies, scheduling periodic check-ins (for example, annually or biannually) to align them with your organization's growth and changing requirements.
When embarking on a space to review and enhance governance practices, Atlassian provides valuable resources to support you along the way. Check out the following plays from our Team Playbook to align with internal stakeholders who share Cloud governance responsibilities and may be impacted by changes:
To capture and document discussions and agreements made during the process, ensure clarity, consensus, and success in governance-related endeavors, use the following Confluence templates: