Easily test external user security: test policy now available

Hi @David Olive 

Is this feature rolled out gradually or should it already be available at all sites? I'm checking this at one of our customer's sites and I cannot see this option to add a test policy.

Cheers,
Tom

Hi @Tomislav Tobijas _Koios_ we are gradually rolling out this feature. Not all orgs have it yet but should soon in the next couple weeks!

Hi @David Olive 

In terms of what products/instances would be covered by an external policy set against an organisation - is it:

1. Any products that are  managed/owned by the Access org?
2. Any products that are owned by a managed user within an org?

I am assuming that it’s the former, but until Atlassian provide a way for companies to prevent users (who we pay to manage) from setting up new Cloud environments that aren’t associated with the Access Org, that means we still cannot manage external access to company content.

And yes, there’s a hyped feature that lets an access org stop users signing up for Cloud products without first being approved by the Org admins, however, this can only be enabled for Orgs who have an Enterprise version of each product you want to gate (yet we have a huge DC instance which we cannot yet move to Cloud as it’s too large and complex).

So we are still in the position of:

 - not being able to stop our users from setting up additional Cloud instances

 - when the above does happen, not being able to enforce security policies on external users 

Both of these points are significant hindrances and mean we’re constantly diverting time and energy from proactively consolidating/simplifying our DC environment to get it to a state that means it’s more aligned with Cloud.

CCM

Hi @Craig Castle-Mead 

Yes, External User Security policies only apply to products that are managed/owned by the Access org.

For the issue of managed users creating other instances without permission outside of the method you mentioned there is also the discovered products feature which lets you set up alerts when managed users create new instances outside your org so you can contact them.

We are always looking for ways to improve these features! You can reach out to me at dolive@atlassian.com if you would like to talk more about these features and your organizations pain-points.

Good morning.

When I type the email of an external user in the test policy it always tells me "User not found", however said user exists in my directory and has been assigned a client role as well as a project to connect to.

What more characteristics should I add to said user so that the testing policy recognizes it as such? In my case we are using Atlassian Acess.

Thank you

Hi @María José Vázquez Poza ,

Thanks for reaching out, would be happy to help you with this.

If possible could you send me some more info regarding the user, like what product they have access to and some screenshots.

You can reach me at dolive@atlassian.com

Happy to Help!

All the best,

-David

Don't worry. I have assigned the role jira-user... and it has already let me include that user in the external user policy. Thank you.

Hi,

Does this feature allows to manage people from our Azure AD (when subscribing to Atlassian Access) with an email domain address not owned by our company ?

For example, a partner which has a account in our acme.com domain but with it company email address associated to it mypartner.com ?

Or this feature only works with external user account through their Atlassian ID ?

Thanks.

Hi @Frédéric MICHELETTI 

You can only manage accounts from a claimed domain.

The external user security feature will allow you to enforce step-up verification when one of those external users (i.e from an unclaimed domain) tries to access your org, you will have the ability to enforce step-up verification then via this feature.

At the moment we have verification via email one time passcode but in the future will be allowing you to enforce SSO if you have those externals in your identity provider.

You can read more about external user security here.

Hi @David Olive

Thanks for the feedback.

I still have a grey area regarding this topic. What do you consider as External Users ?

• Only users with an Atlassian ID ?
• Or any users coming from our IDP with an email attribute of their own company (through Atlassian Access feature) ?

Bottom line, my question is: Does this feature works with accounts coming from our own IDP through Atlassian Access ?

Thanks.

Hi @Frédéric MICHELETTI 

Here is some clarification on what is considered an external user.

If you are giving those users from your IDP with an email attribute of their own company product access to instances within your organization then yes, external user security will apply to them.

Hope that helps to clarify but if not feel free to reach out to me directly via email at dolive@atlassian.com!