Hi,
The login procedure for managed users contains a dangerous security issue.
Steps:
- The managed user wants to use the Confluence/Jira site of the company
- The user does not remember the exact URL of the site and performs a search
- The user clicks on one of the search results and selects one of the buttons "Get Confluence", "Get Jira", etc...
- The users enters their work email and uses the identity provider login (IDP)
- The user gets logged in through the IDP
Expected results:
- Atlassian knows that the user is a managed user that belongs to an organization
- The organization has already one or more EXISTING sites
- Atlassian should redirect the user to a page offering a choice between the EXISTING sites
Actual results:
- The user is redirected to a signup page which also contains a "welcome back" message, tricking the user into thinking they are on the right track
- The page contains a prefilled edit box with a site name that contains the organization name.
- Because the site name contains the organization name, the user thinks he is still on the right track and clicks the blue button
- In the next step a NEW organization and a NEW site are created
- The user is still not aware that he is working outside of the organization and can start entering confidential company data into this new site This security issue requires urgent fixing.
Proposal:
- A managed user of an organization should not be allowed to create new sites
- Only organization admins are allowed to create new sites
Thanks,
Stefaan
Hi @Stefaan Vandaele ,
That is indeed something that happens way too often (unfortunately).
At this time, there is no way for an organization admin to block the unauthorized creation of a site/organization by a managed user. At best if you have Atlassian Guard, they will be notified and you can remove the newly created site.
We've taken this up with Atlassian plenty of times but sadly this is the reality that happens way to often still.
Hi @Dirk Ronsmans ,
Atlassian is really tricking the user into creating a new site.
A more responsible role of Atlassian could be to guide the user towards existing products and sites for the organization.
Do you mean that Atlassian is not willing to do that?
Stefaan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Stefaan Vandaele For everyone aware of the related Atlassian requests (CLOUD-10325, ID-7697, etc), I think we're all in agreement now this is not (nor ever was) a bug, oversight, or security oversight by Atlassian.
Given the blatantly insincere & infrequent communications, the misdirection, and all too convenient tie-ins with boosting subscription #s...this is either a legacy "feature" some codgy ol big-wig still thinks is legitimate, or it ties into some other internal financially-driven motive down the road.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I, out of curiosity, wanted to try this, and you are exactly right @Stefaan Vandaele.
It is really tricky.
When searching in google for Jira or Confluence, if a user clicks on the link below as shown in the search results:
https://www.atlassian.com/software/jira/free
https://www.atlassian.com/software/confluence/free
If they are already logged in (have the authentication cookies), they are directly prompted to create a new environment with a suggested URL pre-filled, resembling the company's actual URL.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Stefaan - Yes, hearing this a lot lately. Maybe someone from Atlassian will come address.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
From all indicators from Atlassian in the public forum thus far, this seems more like a shady strategy that's been enforced by someone (or some group) within Atlassian with significant sway/influence. This individual or group takes Atlassian customers for fools if they thought this strategy would just slide by.
Factoring in how this issue/bug has been poorly managed & communicated with customers, the blatantly disengenuous representation of this non-'solution', followed by an immediate internal directive for product teams to close all tickets related to the request...we should all be in agreement by now what's going on.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Someone from my company attended Team '24 and spoke with a few folks from Atlassian. They reportedly said it was an intended feature and didn't see it being changed anytime soon.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ohey @Stefaan Vandaele ...
In the immortal words of John McClane said, "Welcome to the party, pal!"
I wrote a tiny bit about this here:
Why is Atlassian promoting Shadow IT? Or Accidental IT?
And people are NOT happy in a few of the tickets that seem to address this:
(An Enterprise-only feature allows admins to prevent managed users from creating sites. This functionality has now been extended to Premium Trello and Bitbucket plans.)
Thanks for the pointer here, @Dirk Ronsmans ...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Oh yeah, and folks are not happy about here either:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
What troubles me most about this is that the tickets regarding it (many of which are years old) are being closed and flagged as "resolved."
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi all - trying to get the word out:
@Charles Blaxland has gotten @Derrick Nguyen to file this Suggestion:
I think all the major points are covered, so I look forward to everyone voting it up.
I don't look forward to Atlassian letting it languish for several years. :-/
Thanks a lot Charles and Derrick!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Stefaan Vandaele - as you recently commented in CLOUD-10325, I had forgotten that "the situation was different (and even worse) for the customers who don't have Atlassian Guard."
It prompted me to create a new post:
You are spot on here:
- Managed users: the users are "managed" but what does this mean? In my opinion, the company must have control over those users and what they can do or can’t do on the platform. But not for Atlassian! For them, a "managed" user means a user that belongs to a claimed domain, that's all! On the contrary, Atlassian guides our “managed” users away from the “premium” managed environment, and allows (and encourages!) them to subscribe for new products outside of the managed environment! This shadow IT is a major security hazard!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
FYI, CLOUD-10325 has been updated yesterday (Oct 30):
"Hi everyone,
We have been closely monitoring this ticket and would like to take a moment to address your questions and provide the rationale for closing this ticket.
When we first launched product requests last year, we decided to package this feature as part of the enterprise plan based on our data-backed analysis, which included an analysis of market standards.
Following this decision, we kept this ticket open to continue to monitor feedback from our small-to-medium customers. The feedback you provided led us to further invest in an Atlassian Guard Standard (formerly Atlassian Access) feature called automatic product discovery.
In the last year, the team worked to release ‘add admin’ functionality, making the feature more actionable. Now, an admin can take over the discovered product and determine the appropriate next steps. We have a dedicated community post outlining this process here. Automatic product discovery is not limited to the enterprise plan and any customer of any size can purchase as subscription for Atlassian Guard Standard to gain access to this feature.
We will keep this ticket closed and appreciate your understanding, as well as your time to comment and interact here.
Griffin"
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Did they not see the part where the burden of adding yourself as an admin, removing other members, and tediously requesting to terminate the add'l licenses/products is the problem?
I should certainly hope that admins would be notified when something that is a security issue is created. That is quite literally the bare minimum functionality they can provide.
Geeze.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.