Latest information We have recently publish a blog providing information for the upcoming SSO for Portal-only Customer Accounts feature. Please have a look and leave a comment with your thoughts Upcoming SSO capabilities for external customers in Jira Service Management |
Customers are the heart of any company. In JSM, your customers experience is critical to the success of your service desk. This makes an effective Customer Management Strategy paramount for every admin. Each company is different, and have different customers. As such, it is important that you select the right Customer Management Strategy to meet your needs.
At the core of your strategy is understanding who your customer will be
Internal Customers: Typically employees of your company. Where a service is openly provided by one or more teams to the members of your company.
External Customers: Users who are outside of your company. Often a subset of the general public. Where your company provides a service to external individuals/groups maybe known as clients or customers.
Hybrid Customers: A combination of both internal and external. Where some teams service members of your company, while others service those outside your company.
Different customer types require different approaches to sign-up, access, and permissions. It is also valuable to understand how Atlassian Product Users are managed and provisioned. Atlassian Access although most commonly know for managing licensed users, is a value utility for Internal Customer Management, and lets you extend SSO capabilities to those users.
Throughout this article we will explore the best practise for each strategy. We will identify what is possible today, and where new features are coming that will improve the experience.
Atlassian Accounts |
Portal-only Customer Accounts |
---|---|
✅ Same account can be used for collaboration across multiple Atlassian product. ✅ Users can sign-in using business accounts (e.g. Google, Microsoft, Slack, Apple). ✅ Able to be added to groups for managing permissions. ✅ Password policy can be applied. ✅ Single login for all Atlassian products and sites. ✅ Advanced user management and metrics (with Access) ❌ Limited to the maximum organisation user base size (currently 75,000*). |
✅ White-labelled sign-in experience. ✅ Unlimited. ✅ Unique to each JSM site. ❌ Cannot be reused across multiple sites. ❌ Unable to be added to groups. Can only be manually added to Organisations. ❌ Email and password is the only method of authentication. |
* If this presents a problem for your organisation, please contact your Account Manager to discuss alternatives.
This strategy is for organisations where all customers are employees, contractors, or stakeholders of a central company. External customers will never be invited into any aspect of the help centre. It is common for customers too also be users of JSM or other Atlassian products.
Common examples: ITSM Teams, HR Teams, Legal Teams, Finance Teams
Front of mind: Frictionless access, Security, Sign Sign-On, Cost effective
For this strategy we recommend using Internal Customer Accounts (also referred to as Atlassian Accounts). Using Atlassian Access is not required, but will provide the best experience.
Customers configured in this way with no product licenses will not incur any cost through any product (including Atlassian Access).
Step |
Internal Customers (with Access) |
Internal Customers (without Access) |
|
---|---|---|---|
Provisioning Customers |
With your IDP connected you can choose which groups will be automatically synchronised as Internal Customer Accounts (also referred to as Atlassian Accounts). |
Using a domain based allow list for Jira/Confluence product access you can automatically approve sign-up for Internal Customers.
|
|
Securing your help centre |
Portal sign-up should be disabled. |
Portal sign-up needs to be enabled. We recommend not allowing anonymous portal access.
|
|
Controlling product access |
Users synchronised via Atlassian Access will be given your default product access. Consider which product licenses are granted by default to avoid unwanted cost. It is recommended to provide no product access by default, then to utilise groups for granting specific product access. |
Internal Customers created via the Help Centre will be given default product access. Consider which product licenses are granted by default to avoid unwanted cost.
|
|
Managing permissions |
Service desks should be accessible to Anyone with an account on the site, except those service desks that need to be private.
|
Service desks should be accessible to Anyone with an account on the site, except those service desks that need to be private. |
This strategy is for organisations where all customers are external to the central company. Customers can be could be clients, end users, prospective clients. There are no internal business company interactions. It is common for the help centre to be publicly accessible.
Common examples: Customer Support Teams, Sales Teams
Front of mind: Seamless access, Flexibility, Brand, Email enabled
For this strategy we recommend using External Customer Accounts (also referred to as Portal-only Customer Accounts). Atlassian Access currently doesn't manage External Customer Accounts, but can be used to provision and manage your Agents. External Customer Accounts are always free and unlimited.
Step |
External Customers |
|
---|---|---|
Provisioning Customers |
A combination of self sign-up and Agent account creation is recommended.
|
|
Securing your help centre |
The recommended setting for most External Service Desks is Allow customers to create accounts. Depending on your customer base there are varying degrees of restriction which can be applied, from allowing access without requiring login to allowing access only by users with a pre-created account.
|
|
Controlling product access |
External Customers Accounts can never be granted product access. They can only access your Help Center. |
|
Managing permissions |
Typically External Service Desks will be accessible to Anyone on the web. Where restriction is required, we recommend using Organisations for group customers and using those Organisations to grant access.
|
This strategy is for organisations where both Internal and External Customers exist together. Customers will often live in two independent directories. It is common for Internal Service Desks to react to requests raised in External Service Desks.
Common examples: Admissions Teams, Recruitment Teams, Product Teams
Front of mind: Security, Delineation
For this strategy you must use both Internal and External Customer Accounts. Atlassian Access is not required, but will drastically simplify your management of Internal Customers Accounts. Strict permissions and tight group/organisation membership are critical to success.
Step |
Internal Customers |
External Customers |
|||
---|---|---|---|---|---|
Provisioning Customers |
Atlassian Access is the recommended approach for provisioning Internal Customers, but it is possible for Administrators to manually provision these customers, or utilising Domain based sign-up via other Atlassian products. The Internal Customer Accounts can be synchronised from a connected IDP based on group.
|
External Customer do not utilise Atlassian Access and should rely on a combination of self sign-up and Agent account creation. |
|||
Securing your help centre |
For most hybrid Service Desks it will be necessary to Allow customers to create accounts. Pre-provisioned Internal Customer Accounts will avoid sign-up conflicts.
|
External Customers need to be able to sign-up or email into the help centre. The only exception here is if External Customers will be manually provisioned by Agents.
|
|||
Controlling product access |
Users synchronised via Atlassian Access will be given your default product access. Consider which product licenses are granted by default to avoid unwanted cost. It is recommended to provide no product access by default, then to utilise groups for granting specific product access. |
External Customers Accounts can never be granted product access. They can only access your Help Center. |
|||
Managing permissions |
Service Desks that are intended for Internal Customers should be restricted to Customers added by agents and admins. Using groups is the most effective method for managing these permission, and can be done via the Project Admin > People menu in Classic projects. |
To ensure new External Customers can open requests, at least one Service Desk will need to be accessible to Anyone on the web. The exception here is when all External Customers are manually provisioned and individual permissions are set. Service Desks can be allowed to a subset of External Customers based on manual Organisation memberships (this is good for differentiating service levels, paid customers, and/or customer groups).
|
Multiple Customer Account Conflict Internal Customers visiting the help centre for the first time will incorrectly generate an External Customer account if an account has not previously been provisioned for them. If in future they create an Internal Customer account they will no longer be able to access the original External Customer account. |
Our goal is to provide a comprehensive solution for managing customers in all business types.
This means…
Creating a secure and seamless sign-in experience for internal service organisations.
Avoiding the burden of double sign-in for external service organisations whose customers already have an identity
Allowing the synchronisation of multiple user directories, and being able to effectively differentiate between internal and external customers
In the above best practise we have highlighted some gaps we have committed to address. Below we will provide more details about these features and a loose timeline for their completion. Our intention is to drive a broader conversation on these topics in a Community Group.
Released - March 2022 - Learn more
As highlighted in the best practise, Internal Customers are best served with Atlassian Accounts. It is difficult for organisations without Atlassian Access to enforce this approach.
This feature will provide the ability to create Atlassian Accounts via self sign-up for customers based on their email domain. This is similar, and utilises the same mechanism that Jira Software and Confluence do today.
Once enabled, domains added to Domain Enabled Sign-up for your Site/Organisation will automatically generate Internal Customer Accounts (also referred to as Atlassian Accounts) for users with a matched email domain.
Released - May 2022 - Learn more
To compliment businesses that work with a specific groups and/or companies, we are providing a way to restrict self sign-up for External Customer Accounts (also referred to as Portal-only Customer Accounts) to a specified list of email domains.
This helps in the scenario where let’s say your organisation only provide support to paid customers. Your customers are typically an organisation (e.g. we have a contract with acme.org). In this scenario each customers will be an unknown individual in a known company. By restricting self sign-up to anyone at acme.org you protect your help centre, while remaining flexible for your customers.
Released - May 2022 - Learn more
When using Jira Service Management purely for servicing Internal Customers, the ability for Project Admin and Agents to create External Customer accounts for users outside of the organisation can pose a security concern. This feature allows organisations to disable the creation of External Customer Accounts (also referred to as Portal-only Customer Accounts) when they are not required.
Released - March 2023 - Learn more
Today any users added to your Atlassian Organisations user base is an Internal Customer in each of your JSM Site automatically. For large organisations this provides limited control.
A user role dedicated to granting help centre access for Internal Customers will allow Administrators to choose who should have no, customer, or agent access to each JSM site.
Soon - June 2023 - https://jira.atlassian.com/browse/JSDCLOUD-4519
Organisations (not to be confused with your Atlassian Organisation) is the grouping method for External Customers. Organisations can be used for permissions and sharing for External Customer Accounts (also referred to as Portal-only Customer Accounts). Manually adding customers to Organisations is the only method available today.
This feature will allow Admins/Agents to define email domains which will be automatically sorted into Organisation. That is, when a customer signs up, if their email domain is matched by an Organisation, they will automatically be added to the Organisation.
This will make it easier for controlling access to individual service desks.
Soon - December 2023 - https://jira.atlassian.com/browse/JSDCLOUD-4867
In Classic project groups can be used to grant Internal Customer access to Service Desks via the Project admin > People page. This is not possible in Next-gen projects. Our goal is to bring this ability to the Customers page and make it available for all project types.
Beyond this, we want to make it possible to share ticket between customer in a group, the way that is possible with organisations today.
This includes extending these capability to include Teams.
Released - August 2023 - Learn more
Currently SAML/SSO via Atlassian Access is only available for Internal Customers Accounts (also referred to as Atlassian Accounts). This feature seeks to extend this capability to External Customer Accounts (also referred to as Portal-only Customer Accounts).
The goal here is to allow Identity Provider (IDP) configurations in Atlassian Access the ability to delegate groups to External Customer Accounts, then associated those groups of customers to Jira Service Management sites.
The ultimate here is to allow organisations to seamlessly authenticate their customers using their own user directories.
Benjamin Paton
Group Product Manager, Jira Service Management
14 accepted answers
48 comments