Heads up! On March 5, starting at 4:30 PM Central Time, our community will be undergoing scheduled maintenance for a few hours. During this time, you will find the site temporarily inaccessible. Thanks for your patience. Read more.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to Prevent Atlassian Products being added by users w/company email domain accounts?

scott_harvey
scott_harvey
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 27, 2023

In reviewing our Atlassian Admin page we found several applications have been added to our account by company users who are not admins, but do have other Atlassian product licenses (e.g. Jira, Confluence) and have a company email address/domain (e.g. jane.doe@acme.com).

Reviewing the "Security, Discovered products" page we have found many Atlassian products added to our company account, which were not authorized by our IT/Atlassian admins. These Products show end users as Org Admins for the specific products.

How are these non site admin users able to add applications to our Atlassian corporate account? I would think that having a corporate Atlassian suite we as admins should be able to control who can add products to our account?

That said is there a way as Atlassian Admins to configure our suite to prevent/block company email users (non admins) from self service creating Shadow IT products in our Atlassian suite?
Our company IT should be the only group sanctioned to add products (as Atlassian Admins).

Answer
Watch
Like # people like this
4491 views

7 answers

4 votes
James Blackburn
James Blackburn
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 23, 2024

This is completely unacceptable. We are having the same issue and it's an enterprise feature to prevent this happening. 

A clear case of Atlassian not caring about customer security - it's a terrible default - and trying to force an upsell. 

 

View More Comments
Elizabeth Sardi
Elizabeth Sardi
Contributor
April 16, 2024

A clear case of Atlassian not caring about customer security - it's a terrible default - and trying to force an upsell. 

 

I agree with you 100%.  

 

 

 

Like # people like this
Reply
1 vote
Louise
Louise
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 21, 2024

Hi All,

There is an active feature suggestion that is being reviewed by Atlassian, it's currently at the gathering interest stage.

If we can all vote for this issue (on the right side) and even leave a comment, we may see this happen sooner for non-Enterprise cloud users!

Reply
1 vote
Petri Garagorri
Petri Garagorri
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
April 18, 2024

Our plan is Standard, and we cannot stop users from creating their products using their work-related email. We´ve talked to them countless times, yet they keep creating stuff.

The only policy we have access to is to Allow new products. From the looks of it, it cannot be changed.

I don't understand why further configuration options for this would only be available for Enterprise plans. It seems unfortunate.

Unless I'm missing something, which is quite possible and in which case, suggestions are welcome.

Screenshot 2024-04-18 at 2.49.23 PM.png

Reply
1 vote
R365 IT Helpdesk
R365 IT Helpdesk
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 19, 2023

@scott_harvey I agree 100% with you as it took me awhile to wrap my head around how this was happening. Nic is correct though, theres nothing you can do about it. Except... we send the users an email informing them that the instance was identified and that we do not permit company email addresses to be used for this purpose. We kindly ask them to switch it to another email address if there is not company-related data being stored. If there is company data then we let them know this is not acceptable per our policies and that they need to transfer the company data into our approved instance as well. We give them a generous deadline to fix it by, and let them know if it is not completed by the deadline that we will reset their pword, take over the account, and close them out.

View More Comments
Christel Gray
Christel Gray
Contributor
May 15, 2024

Do you have SSO enabled? I need to figure out how to do what you've described as we now have 5 products created and I'm getting no response from my initial emails.

 

Like
Elizabeth Sardi
Elizabeth Sardi
Contributor
May 15, 2024

@Christel Gray I have institute a similar policy to the one above, however, it is amended in that I look to see if there is any data in the environment and if none, take the account over and cancel the new environment.  I let the end user know that as per business process this is a violation and not allowed.  

Like
Reply
1 vote
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 28, 2023

Welcome to the Atlassian Community!

When you say "applications", do you mean apps (plugins for existing Atlassian applications, stuff like Scriptrunner for Jira for example), or are your people creating new Jira/Confluence/Bitbucket systems?

For apps, it's up to the system administrators, they can add any app they want to their Jira/Confluence/Bitbucket.  You can't stop them without removing their administrative access to the systems.

If it's the applications, then you're more stuck.  Anyone with an Atlassian account can create Cloud systems.  However, I would question how they are getting them added to your corporate account - that can't be done automatically, you need to ask the owners of your account to get new systems added (With my Adaptavist Atlassian account, I've created a couple of dozen Cloud systems, but to add them to the Adaptavist group's enterprise account, I have to ask support)

View More Comments
scott_harvey
scott_harvey
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 28, 2023

Thanks Nick for your quick response!


I may have my nomenclature definitions incorrect so apologies. Atlassian lists the discovered applications as I am calling them as, "Discovered Products."

Looking at the list of Discovered Products, they fall into for main groups:
Jira Software

Jira Service Management

Jira Work Management

Confluence


Atlassian states the following as a header explanation above the Discovered Products:

"Discovered products are products that your managed accounts create outside your Atlassian organization. We recommend that you contact the admins of these products to find out how they’re using each one."


This implies that the list of apps are products created outside our Atlassian organization, but by user accounts that have our company organization (e.g. @acme.com email address), and are not admins of our Atlassian organization.

My issue is that they are using company email addresses as their usernames which I would expect Atlassian to prevent/not allow to be used to self service create/add a cloud app (aka Discovered Product)

Other company Cloud Application products protect the organization from self service addition of Products (i.e. Cloud Apps) when using a company's email address domain, so I was hopeful Atlassian had a method to enable a similar filter.

 

Thanks,

-Scott

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 28, 2023

No apologies are needed, Atlassian has its own jargon like any other software vendor, and unless you're familiar with it, it's really easy to be a bit fuzzy.  That's the reason I asked.

The products you've listed are generally referred to as applications, so the "apps" part of my answer is irrelevant, but the "applications" part is, and needs expanding on.

  1. Atlassian Cloud systems can be created by anyone with an Atlassian account
  2. You can sign up for whatever you want with your Atlassian account
  3. Atlassian Accounts are tied to an email address (they require a single unique one)
  4. Your people have Atlassian accounts with your work email addresses attached

So that's how it is being allowed.  There's nothing you can do about this because of point 1, but, if someone uses a company email-based atlassian account, this does not automatically add the system to your corporate account - that has to be done by one of your admins.

Like
Zoi TechCon GmbH
Zoi TechCon GmbH
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 20, 2023

This is really crap!

Not everybody should be an application admin with an organizational account!? The permissions should be able to be configured according the compliance rules of the company, the country or whatever!? Can't understand that...

Like Christel Gray likes this
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 20, 2023

Your organisation needs to decide who are the admins, and then think about what they need to do.

Like
Reply
0 votes
Sonya Petkunas
Sonya Petkunas
Contributor
September 17, 2024

We are on premium and I have been told that blocking this ability is only done with enterprise. I do not agree with that is how it should be, but until Atlassian addresses it, I join as admin and delete them. What makes matters worse is that non admins can sign up for paid accounts.

Reply
0 votes
Naomi
Naomi April 3, 2024

In reviewing this further, I have found that our Atlassian Organization includes the option to "Require admin review" when a Managed Account attempt create a new product.

  1. Login to admin.atlassian.com
  2. Navigate to Security tab
  3. Under the "Monitoring" section in the left-hand sidebar, locate and click "Product requests"
  4. Change the Product Permissions to "Require admin review" instead of "All new products" for each of the desired projects listed.
View More Comments
iotim
iotim
Contributor
May 22, 2024

You must have an enterprise subscription because it only tells me we have to spend more money to do that

Like # people like this
andylee
andylee October 12, 2024

How can we prevent this from happening?  They managed accounts (using our email accounts) are creating new jira instances with a different name.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Atlassian logo
Atlassian Account
TAGS
AUG Leaders

Atlassian Community Events

    See all events