Explore Atlassian admin roles
20 min
Advanced
By the end of this lesson, you'll be able to:
- Differentiate the org admin, site admin, user access admin, product admin, and user roles
- Describe how to grant and revoke different roles
Explore the org admin role
The org admin has a crucial role in managing various aspects of the organization. They can manage the organization and all its sites. Users can hold the org admin role for multiple organizations.
Org admins can:
- Grant the org admin, site admin, and user admin roles, then delegate some of their tasks to other admins.
- Manage users and groups within the organization.
- Grant user roles and permissions to all sites within their organization.
- Manage product subscriptions and billing details across all sites in an organization.
- Verify or remove domains within the user access settings for your organization. They can choose to approve certain domains for access upon request or wait for their approval.
- Implement and maintain security measures to protect sensitive data, such as configuring authentication policies.
- Monitor activity by accessing analytics on users and security practices or by viewing the audit log to track activities across the organization and its various sites.
Org admins and user access admins can easily identify an org admin by the gray label next to their name on the User page, in the Users directory, and in the list of users in the org-admins group.
Grant and revoke the org admin role
The user that creates a new organization automatically becomes the org admin. Org admins can then grant the org admin role to other users.
When you grant a user the org admin role, they automatically have access to all products within the organization. Org admins have the user and product admin roles for all products.
👇 Click the tabs below to explore the different methods used to grant and revoke the org admin role.
An org admin can assign the org admin role to another user from their user page, in the user directory. Users with the org admin role are automatically added to the special group org-admins.
Org admins can unassign the org admin role from the user page.
You can’t delete the org-admins group. You also can’t use it as a default groups for products.
Explore the site admin role
Site admins have the ability to perform tasks specific to the site they are administering. Org admins can choose to assign a site admin to delegate some of the administrative tasks.
👇 Click the boxes below to learn about the tasks site admins can perform.
Grant and revoke the site admin role
The org admin is the only role that can grant the site admin role to users or revoke it from them.
To grant the site admin role to a user:
- Navigate to the user from the Users tab within the Directory section of the admin hub.
- From the ellipsis drop-down menu, click Assign site admin.
- From the list of organizations, select the Site Admin role.
- Click Grant.
👉 For example: Kevin is an org admin for the ACME organization and, he has decided to delegate the administration of the acme site to Norah.
👇 Here’s how Norah’s user page will look in the admin hub after being granted the site admin role for acme.
There isn't a group associated with the site admin role. When you assign the site admin role to a user, they are not automatically added to any groups.
Org admins can revoke the site admin role from users in two ways, both using the Users page in the Directory section of the admin hub. You can revoke the site admin role using the More actions (represented by ···) and selecting Revoke role or deselecting the role in the Role dropdown for the site.
Explore the user access admin role
A user access admin mainly manages user and group access to the product they administer. This makes it easy for org admins to delegate product access management for users from the admin hub on a per-product basis.
User access admins can:
- View all users and groups in the organization.
- Invite users to the products they administer.
- Grant access to existing users to the products they administer.
- Add or remove users from groups that grant access to products they administer.
- Suspend access to users that only have access to products they administer.
- Remove users that only have access to products they administer.
The user access admins can't manage groups that give access to products they don't administer.
👉 For example: ACME is an organization containing Acme UK and Acme US sites. In order to delegate some of the administrative tasks around the organization, the org admin grants Hasan the user access admin role for Confluence on Acme UK site, and Claudia the user access admin role for Jira on Acme US site. Hasan and Claudia can now grant and revoke access to users and groups for their respective products, but not each other's respective products.
The user access admin role is only available if you have centralized user management.
User access admins won’t count as billable users for the product they administer, unless you grant them an additional role that gives access to that product.
👉 For example: ACME is an organization containing Acme UK and Acme US sites. Hasan is granted the user access admin role for Confluence on the Acme UK site. Hasan can now do all the tasks of the user access admin but unless they are granted any further roles they do not have product access to Confluence and don’t count as a billable user.
Grant and revoke the user access admin role
When an organization is created and products are added, there are default user access admin groups that get created for each product. When a user is a member of a default user access admin group, they automatically become user admins for the associated product.
👉 For example: ACME is an organization having one site called Acme UK. Acme UK site has Jira and Confluence products. As a result, Atlassian automatically created two user access admin groups:
- confluence-user-access-admins-acme-uk: Members of this group are user admins for Confluence on Acme UK.
- Jira-user-access-admins-acme-uk: Members of this group are user admins for Jira on Acme UK.
Atlassian creates the user access admin groups by default. Org admins can change or delete the default user access admin groups with a custom group.
👇 Click the boxes below to explore how to grant and revoke the user access admin role.
Explore product admin roles
Product admins have access to product-level settings in the products they were granted the product admin role for. They also have access to the content of the product they administer, with the exception of Jira admins. They don't have access to the admin hub.
The tasks that product admins can do depends on their product.
👇Click the tabs below to explore two examples
A Jira product admin can:
- Create company-managed projects.
- Create workflows.
- Manage mail settings.
- Advanced settings such as creating webhooks.
- Manage apps.
A Jira product admin can't:
- Access the admin hub.
- Manage users and groups.
- Grant access to Jira.
Since Confluence product admins can also collaborate on pages, they count towards your product bill. However, Jira product admins don’t have the ability to update work items, and therefore, are not billable.
Grant and revoke the product admin role
Granting the product admin role automatically adds the user to the default group for that role. Adding products to an organization automatically creates groups per product for each site containing users, admins, user admins and other types of users specific to each product. Each of these groups will have default permissions and access rights. You should verify memberships provide the expected access first before granting them to any group, or as an org admin you can change them.
👉 For example: For Jira, the default product admin group is called jira-admins-<site-name>, and for Confluence, the default product admin group is called confluence-admins-<site-admin>.
👇Click the tabs below to explore two examples of how to grant and revoke product admin roles.
There are several methods to grant and revoke the product admin role for Jira.
To grant the Jira admin role:
- On the user page in the user directory, click Grant access then select the Product Admin role for the Jira Administration product, and click Grant access to confirm.
- On the user page, add the user to a group with access to Jira product administration. By default, it should be jira-admins-<site name> group.
- On the groups page, add the user to a group with Jira product admin access from the group page. By default, it should be jira-admins-<site name> group.
To revoke the Jira admin role:
- On the user page in the user directory, next to the Jira Administration product, unselect the Product Admin role from the Product roles dropdown.
- On the user page, remove the user from groups with Jira product admin access. By default, it should be jira-admins-<site name> group.
- On the group page for the groups with access to Jira product administration, remove the user membership. By default, the group should be jira-admins-<site name>.
Explore user roles
There are different user roles across Atlassian products. The main role is the user role in Atlassian Cloud, which refers to the level of access granted to individuals within an organization who need to log in to the products and use their features. The user role translates differently for each product in terms of what the user can do. Users with this role count towards the product license.
👉 For example: Individuals with the user role in Jira can create, edit, comment on, and delete work items. They can also use boards to update work items, create dashboards, and add gadgets given they have the relevant permissions.
Individuals granted the user role are the same as those added to the default group for that role. By default, the group is called <product>-users-<sitename>.
👇Click the boxes below to learn about other user roles.
An org admin can put certain measures in place to enforce security for external users. Users with guest, stakeholder, or customer roles are referred to as external users as they often are not part of the company or are from a different department. Org admins should make sure they have control over what data these users can access, for that reason.
- Two-step verification: Force external users to verify their identity when they try to access the organization’s product data.
- Single sign-on: Authenticate external users through your company's identity provider when they log in to Atlassian Cloud products.
- Periodic re-verification: Set how often external users need to verify their identity.
- Reviewing external users before changing security settings: Export external users in a CSV to review their details.
- API token access: Control API token access to products in the organization.
External user security features require an Atlassian Guard subscription.
Grant and revoke user roles
There are three ways to grant most user roles:
- Assign the relevant role to the product from the user page in the user directory.
- Add the user as a member of a group:
- For users, the default is <product>-users-<sitename>
- For guests, the default is confluence-guests-<sitename>
- For customers, the default is jira-servicemanagement-customers-<sitename>
- For stakeholders, the default is jira-servicemanagement-stakeholders-<sitename>
- Invite the user to the product from the admin hub and select the relevant role in the Invite page.
For the customer role in Jira Service Management, users can also sign up from the help center or send an email request, if enabled.
You can remove all the user roles in the same two ways:
- Revoke the role from the user page: Unselect the role from the Product access section in the user page in the user directory.
- Revoke the role from the group page: Remove the user from all the groups providing access to the role.
How was this lesson?
next lesson
Create an Atlassian organization
- Create an organization by signing up for a product
- Create an empty organization without products
- What happens when you create an organization?