Occasionally we get attackers sending team member access requests.
How do we disable the mechanism for requesting access? I want to ensure that no user accidentally approves a request from a look-alike phishing domain or similar. We only want to add employee access manually.
I know that each admin can turn off notifications individually, but we don't want another thing to audit. This also doesn't appear to help with eg., the Slack integration.
@Brian McGroarty There is nothing in the documentation (https://support.atlassian.com/user-management/docs/approve-or-deny-product-access-requests/) or that I could find that allows you to turn off access requests. I would suggest contacting support and see if it is something they could possibly do for you. https://support.atlassian.com/contact/ I will also escalate it here.
This is a great question and if you're unsure where to look it can rather difficult to figure out how to manage this. Luckily, we have some documentation to cover that ask here. You're most likely going to want to review the following which will show you how to manage your domain and your access request notifications (there is a lot that might need to be done within this article, so please ensure you review all of the detailed steps)
Please let us know if the above documents help clarify how to manage your domain and thus your notification settings to prevent these unwanted requests.
We're already configured with our own domain as the only entry under "Approved domains" and "Access Requests" is configured as "New users can't request access."
Even with these settings, we get periodic requests similar to the below for StatusPage. I suspect StatusPage isn't honoring this setting, unlike the other Atlassian products:
We received a request from (redacted)@gmail.com to help manage your status page, and creating an account for them is just a click away.
Click here to add this person to your team.
If you do not know who this person is, please ignore this email.
I did some further investigating of your issue and did find your statuspage does have an inactive page which allows anyone to click a link to request access, see screenshot:
I'll go ahead and submit a support request on your behalf (We'll need confirmation to remove the inactive site/URL), I'll include your site's main contact as well for approval.
You should be getting an email from support shortly.