Customer Was Given Access

@Clare Lawson 

To investigate how an external customer gained access to your Jira instance, follow these steps:

Check user invitation history in User Management.
Review project and group permissions.
Examine application access settings.
Look at the audit log under System > Audit Log.

To prevent unauthorized access in the future:

Regularly update user access permissions and group memberships.
Enable two-factor authentication (2FA).
Restrict access to specific IP addresses, if possible.

Hi Clare,

Reason:

1. users can invite the external users through project level like when you are assign the issue, in that place you will get invite user option based on that user can invite the external user.

2. invite the user into the project level using people invite in the left bar.

3. Invite teammate or sharing the issue.

Solution:

As per my understanding, you want to restrict the users cannot invite the customers into the Jira. For that i have a solution to restrict the user invites.

1. Go to  - user management

2. Click on products 

3. In the Products - user access settings

4. Navigate to user invites

5. In that we have two columns like product and existing user permissions

6. suppose Jira software is the product then choose -- "don't allow invites" in existing user permissions. so that anyone cannot invite the users to the product. 

7. this option is not available in your setup then reach out to support and enabled by them and that option is free of cost.

Hope you got the exact solution.

Thank you

It depends which kind of product licence you have, if you have  just basic jira SW, then the audit log you can find in jira in the settings menu systems (there depends on your settings you can either see the user who gave the access or just user = jira - 3 months back in the basic).

You also may have settings of the domain open without admin approval - atlassian admin -> products -> user access settings - any domain...

On the upper right hand corner go to the settings then if you have elevated admin access you can see who added when and if the user's activity...Hope that helps! 

Atlassian in their wisdom introduced in their opinion a wonderful way for user set up. 

This has allowed users from anywhere to set up accounts unless you have updated your settings from the default they set.  

I have had several conversations about this with Atlassian as we do not allow as have a process and our security were not happy. 

They still introduced it as do not care. 

Please check here for the settings that should help you lockdown as much as you can https://community.atlassian.com/t5/Atlassian-Access-articles/User-management-for-cloud-admins-just-got-easier/ba-p/1576592

Hello! Depending on your instance settings, you could search through the audit log to see if it happened somewhere in the last 3-6 months. You would be able to see the date when the user was given access and who provisioned the access to that user. 

Did you check the audit logs to see if someone added this user to the instance? Go to Administration, Security -> Audit logs.