Create
cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
Sign up Log in

šŸ“£ Enterprise Edition Component Security Controls for Jira and Confluence Automation

 

We are thrilled to announce the arrival of the first set of component-level security controls for Jira and Confluence Automation. Available to Enterprise Edition customers, component controls allows Jira and Confluence Admins to set allowlists for select automation actions to reduce the risk of data egress. Once an admin-defined allowlist is configured and the component control is enabled, it acts on all existing and new automation rules to ensure that your organization remains resilient against threats whilst getting the efficiency benefits that automation brings. Component Controls are rolling out starting today and will be Generally Available by the end of July 2024.

How component controls work

There are five components that make up this first release of automation security controls: Send email, Send web request, Send Slack message, Send Microsoft Teams message, and Send Twilio notification. Each has itā€™s own unique allowlist, as detailed below:

 Automation Component  How the allow list works
 Send Email Restrict to specific email domains (e.g. example.com, example.com.au)
 Send Web Request Restrict to specific domains (e.g. exampleservice.com)
 Send Slack message Restrict to Slack instances (e.g. example.slack.com/...) 
 Send Teams message Restrict to Teams instances  (e.g. teams.microsoft.com....)
 Send Twilio notification Restrict to specific phone numbers (e.g. +14152739164)

Note: The configuration and management of component security controls is intentionally limited to Jira and Confluence admins with global permissions.

 

1) Head to Global Automation in Jira and/or Confluence

Component security controls can be set for every Enterprise Edition product that your organization uses. To get started, youā€™ll need to navigate to the Global Automation area of Jira or Confluence. Itā€™s important to note that this means component controls need to be set for each product individually e.g. if you have teams using both Jira (this includes Jira, Jira Work and Service Management) and Confluence Enterprise Edition, youā€™ll need to configure component controls in both products.

816f790c-19b3-419e-87ec-f13953544c49.png

2) Head to ā€œConfigure componentsā€
Once in Global Automation of Jira or Confluence, click on the three dots at the top right and select ā€œConfigure componentsā€.
b9f787ff-63cd-4936-9779-c618189e3af9.png

3) Set your allowlists

By default, component controls are not enabled. Start by clicking on the ā€œConfigureā€ button. Next, follow the prompts to ā€œRestrict to specificā€¦ā€ and enter the domains, URLs or phone numbers that you want to allow. Once the configuration is saved, it acts on all rules that use that specific Action and it applies to all admins, both those with global permissions and those with Project or Site level permissions. You can add a total of 200 entries. Once saved, control configuration changes are then logged on the ā€œConfigure componentsā€ with time, date and admin name.

357bd45b-5662-49be-9cf4-87b28ce73ed2.pngbb43cdc7-e5bd-49ef-96c1-4805be091aa0.png

Tip: Before enabling a component control, you can check how many rules are utilising the action by clicking on the three dots next to the ā€œConfigureā€ button. Clicking on this link will open a filtered view of Rules List of all the rules that use that specific component, in a new tab. You can then notify rule owners of an configuration change to prevent rule run errors, or directly edit rules to check the specific component configuration is in compliance with a configuration. Any rule that doesnā€™t comply with an allow list will be shown as a ā€˜failedā€™ rule with relevant details in the Audit Log.

5f348e44-c5e8-4e7c-bc76-1d9f0a957b37.png

 


How Component Controls work when creating or editing a Rule

Keeping your organisation secure doesnā€™t mean that creating an automation gets harder for your team. To help reduce internal support load and empower all admins to keep creating time-saving rules with controlled components, weā€™ve added the ability for them to view an allowlist within the Rule Builder.

9c8414b3-1027-4364-8a1f-2fd98571b26a.png84f56b0c-1137-49a5-a6e5-0c76efcff2ec.png

Once a component control has been configured a link will appear on the Action component, within the rule builder. All you have to do is click on ā€œView allowlistā€ and all the allowable entities can be viewed in a pop-up. Only when a project or site admin wants to add a new entity like a new email address or domain to an allow list, will they need to raise an internal request.


What's next?

Your organizationā€™s security is paramount and component security controls is just the first set of a host of new security features that will be coming to Atlassian Automation to ensure that your business remains resilient against threats while maintaining efficiency and compliance. Keep an eye out for ā€œAutomationā€ on the Public Roadmap and here for the latest. In the meantime, weā€™d love to get your feedback on this first iteration of controls. As always, leave a comment or book a time to chat with us here.

3 comments

Bill Sheboy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
June 25, 2024

Hi @Simon Chan 

Thanks for this update and information!

For those of us who do not have an enterprise license, would you please describe:

  • When creating the rule, I note the "View allow list" for the Send Email action.  Does the validation only happen at run-time or does it also happen for hardcoded email addresses when the rule is created / edited?
  • You note noncompliance will show a rule failure in the log.  What does the error message look like in the audit log?

Kind regards,
Bill

Like ā€¢ KALOS likes this
Simon Chan
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 25, 2024

Hey @Bill Sheboy

Thanks for the great questions!

For newly created rules or edits to existing, validation currently happens at rule update or publish (aka save), so when someone is creating or editing a rule with a component like Send Email, it will be checked against the configured Allow list.

Screenshot 2024-06-26 at 10.35.46ā€ÆAM.png

In the scenario where there is an existing rule and an Allow list is enabled or modified so that the existing rule no longer complies: the rule will generally show as 'some errors' at next rule run. This will be reflected in the Audit Log and will have a relevant message under 'Show more'.
Screenshot 2024-06-26 at 10.45.50ā€ÆAM.png

  • If a rule has some domains or URLs or numbers that comply and some that do not, the ones that do comply will still be sent the relevant message whereas ones that do not will be blocked. This will show as 'Success' in the audit log, but will still have the detail in 'show more' that some emails/urls were not on the Allow list.

Like ā€¢ # people like this
Matthew Challenger
Contributor
July 26, 2024

Very cool feature.

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events