This article has been created in close collaboration with @Paula Kraszewska whom I cannot avoid mentioning here for her very valuable contribution. Thank you!
Hi Atlassian Community!
Along this article, we are going to share with you many aspects around the management of user access to Jira projects and Confluence spaces on a big Atlassian Cloud instance.
As site administrators, we frequently find users requesting help because they want to grant access to multiple Jira projects and/or Confluence spaces, and that’s a time consuming task.
The task can get even worse when they want to restrict Edit Page permissions on multiple pages on a one per one basis!
Sometimes we are being directly suggested to use Atlassian User Groups in the hope that they can solve their access management needs, since only Site Admins can create groups or manage the users who belong to them.
Along this article we will elaborate on:
Several aspects of Atlassian User Groups
Our opinion on what constitutes an appropriate usage of groups in a big instance
Implications of using groups for project/space access management
What future improvements may come over time to improve project/space access management
How to minimize the workload of providing access to Jira projects and Confluence spaces
We hope this article is useful for less experienced site administrators and also receive feedback from more experienced ones.
Thank you in advance for your feedback and enjoy reading!
Let's quickly summarize what user groups can typically be used for:
Provisioning a Jira and/or Confluence license.
Granting several global permissions in Jira and/or Confluence.
Granting access to Jira projects and Confluence spaces.
Referencing them in JQL filters.
Points 1 and 2 are use cases that will always exist, since there are no alternative ways of setting them. The usage of groups for these use cases is mandatory and the only technical option and we think they work perfectly for these purposes. Nothing to change here!
However, points 3 and 4 are use cases which purpose can be technically fulfilled by any users, just by covering the need in a different way.
We think that Site Administrators of big instances should only be responsible for managing groups for purposes of points 1 and 2:
Provisioning a Jira and/or Confluence license.
Granting several global permissions in Jira and/or Confluence.
We are going to argue this opinion below.
There are multiple reasons why we think it may be suboptimal to use groups for granting access to Jira projects or Confluence spaces, and we are going to elaborate on that.
The first and most evident reason for Site Admins not to assume the task of adding users to projects or spaces is simple: Users can manage project and space access by themselves by adding individual users to them.
Users can be provided with Project Administrator permission so that they are able to grant access to Jira projects.
Similarly, users with Admin permission in a Confluence Space can grant other users access to that space.
Since users can have the ability to manage project and space access on their own, there is no need for creating a dependency on Site Admins availability, which would be a clear bottleneck.
If Site Admins were unavailable, project and space access would be blocked!
We can only remove this dependency by making users responsible for managing access to their own projects and spaces.
In our opinion, it wouldn’t be acceptable that new joiners had to wait for days or weeks to start working on Jira or Confluence just because any circumstances made no Site Admins available.
The ratio Users per Site Admin in a big instance is at least of several hundreds to one, if not thousands.
As a rule of thumb, a need that can be achieved by users should be delegated to them.
That’s because, by doing so, the workforce is multiplied by several hundreds of times.
Since Site Admins are usually also Jira and Confluence administrators, they have a lot of workload related to different things that cannot/should not be delegated to users.
Those are the kind of tasks in which we think they should invest their time and also in which they can add the most value.
Users are not able to see the list of users who belong to a group.
Unlike that, users can see the list of users that had been added to a project role or to space permissions.
The lack of transparency may cause serious issues with impact on budgets.
Since users lack the ability to see who belongs to a given group, they can’t detect if a given user still has access to their project and, therefore, they hardly ever request users to be offboarded, causing licenses that are no longer needed to be unproductively paid for several months.
As a side effect, the lack of transparency also ends up with users raising multiple duplicate requests of adding a user to a resource the user could already access, just in case, especially after detecting a different colleague could not access a given resource.
In our experience, using groups for project and space access management ends up being an extremely inefficient method.
While instances with both Jira and Confluence can insert the User List macro once per each group in one or multiple pages, this workaround is far from being a good enough solution, since groups with project access are checked on the People section of a Jira project while the list of users who belong to said groups need to be found in a specific Confluence page. This solution would only work for users who knew the list of group members needs to be checked in a given Confluence page, and even for those users, there would be ergonomy issues and extra effort to get to the information.
It is generally accepted to be a good practice to grant access by the principle of least privilege.
We think using groups for provisioning access to multiple Jira projects and Confluence spaces is kind-of the opposite to having the required granularity to comply with that principle.
Some of the benefits of applying this principle include:
Ease of finding content relevant to the user
Overall improvement of application performance
Better data protection
In the issue navigator (where users build their filters), being suggested just the custom fields*, labels and statuses that exist in the projects the user is able to access. This reduces the risk of committing errors.
*This only works if the custom field a) had its context narrowed, or b) had been hidden in the Field Configuration.
The categorization of users in groups, if managed centrally, is a task that is better approached by setting Active Directory together with an app that synced with it, possibly Atlassian Access.
However, we are sceptic about using Active Directory groups to provide access to resources like Jira projects or Confluence spaces, since all of those components evolve independently and in an unrelated way.
There is a risk of ending up using so generic and unspecific groups that belonging to one of them would provide access to too many unrelated projects and spaces, and possibly to many other unrelated resources in many other apps.
While it could make sense to use AD groups just for app license management, there would be a risk of penalizing agility of processes way too much. At least in the case of Atlassian apps, it is possible to automatically accept access from user accounts belonging to whitelisted domains, among other options.
In the context of a big enterprise, we think it makes no sense to centrally categorize users over and over again on a per app basis.
That said, we reckon it is better to use a distributed (not-centralized) user management process on a per resource basis.
In that regard, besides the current possibility of individually adding users to Jira project roles and to Confluence space permissions, we think the future may bring the ability of adding user-managed teams for distributed user access management, as we will see in the section A look into the future.
The process of offboarding users from Jira and Confluence may be extremely inefficient.
In our experience, the vast majority of inactive users are detected by manually downloading a CSV of users, detecting users who have not logged in during the last three months or so, copy+pasting each of those user accounts to Atlassian User Management and manually deactivating them on a one per one basis.
As a side note, it might be viable to develop a script for deactivating unused accounts, but so far we have found no REST API methods for returning the last time a user logged in to Jira or Confluence. Any ideas?
In our experience, we rarely deactivate inactive users as the result of a explicit request for offboarding the user. And even when we receive one of such requests, sometimes it ended up deactivating a user that needed to continue working on a different project.
We think explicit offboarding requests are so relatively infrequent because of users being unable to see the list of users who belong to a group, as previously mentioned in the Transparency section.
But the most important thing about all of this is: During the time that needs to elapse in order to be able to detect inactive accounts, licenses are being paid with no real need for doing so.
If users were individually added just to the projects and spaces they really need to access, that would open the possibility of fixing several important problems regarding inactive users:
There would be no need for explicitly requesting the removal of a user from a specific project/space. Any user with admin access could remove the user directly.
A programmatic solution could check for users not being present in any Jira project roles or Confluence Space Permissions and automatically remove their Jira/Confluence license. We think a solution like this wouldn't be effectively possible if that access were being granted through groups.
We think a not too far future will bring new things to make it easier to manage project and space access.
Atlassian has developed a relatively new feature for users to be able to manage Atlassian teams.
The potential to use teams in project roles and space permissions would revolutionize project and space access management, making it an easier and more user-friendly task.
Some time ago, we published an idea about a new feature to better integrate permissions between a Jira project and its linked Confluence space.
This feature would reduce the administrative workload of dealing with project and space access.
This would be a minor improvement compared to the potential of adding the new Atlassian Teams to project roles, space permissions and page restrictions.
Although using groups for resource access management is possible, we think it is clearly outperformed by letting the end users manage access to their individual resources.
For the sake of brevity, we have created a new article with the section How to minimize the workload of providing access to Jira projects and Confluence spaces.
We would love to hear your feedback on this subject!
What are your thoughts? How are you dealing with access management? Are you maybe using a smart solution you want to share?
Thanks for reading and thank you in advance for your feedback!
Ignacio Pulgar
Atlassian Certified Jira Admin
Vorwerk
Madrid (Spain)
177 accepted answers
11 comments