Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

How to Prevent Atlassian Products being added by users w/company email domain accounts?

scott.harvey
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
June 27, 2023

In reviewing our Atlassian Admin page we found several applications have been added to our account by company users who are not admins, but do have other Atlassian product licenses (e.g. Jira, Confluence) and have a company email address/domain (e.g. jane.doe@acme.com).

Reviewing the "Security, Discovered products" page we have found many Atlassian products added to our company account, which were not authorized by our IT/Atlassian admins. These Products show end users as Org Admins for the specific products.

How are these non site admin users able to add applications to our Atlassian corporate account? I would think that having a corporate Atlassian suite we as admins should be able to control who can add products to our account?

That said is there a way as Atlassian Admins to configure our suite to prevent/block company email users (non admins) from self service creating Shadow IT products in our Atlassian suite?
Our company IT should be the only group sanctioned to add products (as Atlassian Admins).

6 answers

2 votes
James Blackburn
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 23, 2024

This is completely unacceptable. We are having the same issue and it's an enterprise feature to prevent this happening. 

A clear case of Atlassian not caring about customer security - it's a terrible default - and trying to force an upsell. 

 

Elizabeth Sardi April 16, 2024

A clear case of Atlassian not caring about customer security - it's a terrible default - and trying to force an upsell. 

 

I agree with you 100%.  

 

 

 

Like # people like this
1 vote
Petri Garagorri
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
April 18, 2024

Our plan is Standard, and we cannot stop users from creating their products using their work-related email. We´ve talked to them countless times, yet they keep creating stuff.

The only policy we have access to is to Allow new products. From the looks of it, it cannot be changed.

I don't understand why further configuration options for this would only be available for Enterprise plans. It seems unfortunate.

Unless I'm missing something, which is quite possible and in which case, suggestions are welcome.

Screenshot 2024-04-18 at 2.49.23 PM.png

1 vote
R365 IT Helpdesk
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 19, 2023

@scott.harvey I agree 100% with you as it took me awhile to wrap my head around how this was happening. Nic is correct though, theres nothing you can do about it. Except... we send the users an email informing them that the instance was identified and that we do not permit company email addresses to be used for this purpose. We kindly ask them to switch it to another email address if there is not company-related data being stored. If there is company data then we let them know this is not acceptable per our policies and that they need to transfer the company data into our approved instance as well. We give them a generous deadline to fix it by, and let them know if it is not completed by the deadline that we will reset their pword, take over the account, and close them out.

Christel Gray May 15, 2024

Do you have SSO enabled? I need to figure out how to do what you've described as we now have 5 products created and I'm getting no response from my initial emails.

 

Elizabeth Sardi May 15, 2024

@Christel Gray I have institute a similar policy to the one above, however, it is amended in that I look to see if there is any data in the environment and if none, take the account over and cancel the new environment.  I let the end user know that as per business process this is a violation and not allowed.  

1 vote
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 28, 2023

Welcome to the Atlassian Community!

When you say "applications", do you mean apps (plugins for existing Atlassian applications, stuff like Scriptrunner for Jira for example), or are your people creating new Jira/Confluence/Bitbucket systems?

For apps, it's up to the system administrators, they can add any app they want to their Jira/Confluence/Bitbucket.  You can't stop them without removing their administrative access to the systems.

If it's the applications, then you're more stuck.  Anyone with an Atlassian account can create Cloud systems.  However, I would question how they are getting them added to your corporate account - that can't be done automatically, you need to ask the owners of your account to get new systems added (With my Adaptavist Atlassian account, I've created a couple of dozen Cloud systems, but to add them to the Adaptavist group's enterprise account, I have to ask support)

scott.harvey
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
June 28, 2023

Thanks Nick for your quick response!


I may have my nomenclature definitions incorrect so apologies. Atlassian lists the discovered applications as I am calling them as, "Discovered Products."

Looking at the list of Discovered Products, they fall into for main groups:
Jira Software

Jira Service Management

Jira Work Management

Confluence


Atlassian states the following as a header explanation above the Discovered Products:

"Discovered products are products that your managed accounts create outside your Atlassian organization. We recommend that you contact the admins of these products to find out how they’re using each one."


This implies that the list of apps are products created outside our Atlassian organization, but by user accounts that have our company organization (e.g. @acme.com email address), and are not admins of our Atlassian organization.

My issue is that they are using company email addresses as their usernames which I would expect Atlassian to prevent/not allow to be used to self service create/add a cloud app (aka Discovered Product)

Other company Cloud Application products protect the organization from self service addition of Products (i.e. Cloud Apps) when using a company's email address domain, so I was hopeful Atlassian had a method to enable a similar filter.

 

Thanks,

-Scott

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 28, 2023

No apologies are needed, Atlassian has its own jargon like any other software vendor, and unless you're familiar with it, it's really easy to be a bit fuzzy.  That's the reason I asked.

The products you've listed are generally referred to as applications, so the "apps" part of my answer is irrelevant, but the "applications" part is, and needs expanding on.

  1. Atlassian Cloud systems can be created by anyone with an Atlassian account
  2. You can sign up for whatever you want with your Atlassian account
  3. Atlassian Accounts are tied to an email address (they require a single unique one)
  4. Your people have Atlassian accounts with your work email addresses attached

So that's how it is being allowed.  There's nothing you can do about this because of point 1, but, if someone uses a company email-based atlassian account, this does not automatically add the system to your corporate account - that has to be done by one of your admins.

Zoi TechCon GmbH
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
October 20, 2023

This is really crap!

Not everybody should be an application admin with an organizational account!? The permissions should be able to be configured according the compliance rules of the company, the country or whatever!? Can't understand that...

Like Christel Gray likes this
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
October 20, 2023

Your organisation needs to decide who are the admins, and then think about what they need to do.

0 votes
Louise
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 21, 2024

Hi All,

There is an active feature suggestion that is being reviewed by Atlassian, it's currently at the gathering interest stage.

If we can all vote for this issue (on the right side) and even leave a comment, we may see this happen sooner for non-Enterprise cloud users!

0 votes
Naomi April 3, 2024

In reviewing this further, I have found that our Atlassian Organization includes the option to "Require admin review" when a Managed Account attempt create a new product.

  1. Login to admin.atlassian.com
  2. Navigate to Security tab
  3. Under the "Monitoring" section in the left-hand sidebar, locate and click "Product requests"
  4. Change the Product Permissions to "Require admin review" instead of "All new products" for each of the desired projects listed.
iotim May 22, 2024

You must have an enterprise subscription because it only tells me we have to spend more money to do that

Like Darryl Lee likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events