Introduction
Back in 2018, Atlassian introduced Atlassian Access for their cloud products. This blog gives you insight into what Atlassian Access is used for, how to implement it, and tries to summarise all the pitfalls, which are not available on the Atlassian website. Why now, I hear you ask? Well, the Atlassian Cloud is nowadays far more used than back in 2018.
Customers are also much more demanding in terms of security. The Atlassian ecosystem has shifted its focus heavily on cloud-only therefore things like user- and license control have become much more a point of attention for organizations.
Atlassian access is also the only product to facilitate access control, integrated with your Identity Provider (IdP), for Atlassian products.
What is Atlassian Access?
Atlassian Access manages organisations, with the starting point at admin.atlassian.com. An Atlassian organisation is a layer which gathers all the products you subscribed for together. All the billing items can be managed here. Atlassian Access centralises user management from the (email) domain(s) you control. It also can connect to your own identity provider and adds some security features.
Why would you want or need Atlassian Access?
Our customers typically acquire Atlassian Access to integrate their IdP (Identity Provider, example: Azure AD) with their Atlassian Cloud products. It can be used to manage your users and security at one place outside the Atlassian cloud. It is also more user friendly by providing a Single Sign On (SSO) experience for your users.
Many organizations also require their cloud products to adhere to their local security requirements. Think of password complexity, renewals, logging, and 2 Factor Authentication (2FA).
Atlassian Access billing
Each billing cycle (monthly or annually), you are only charged for the number of unique users provisioned to a product supported by Atlassian Access regardless of how many products any one person is using. For example, if someone has access to Jira Software, Confluence, and Bitbucket, you’ll only pay once each billing cycle.
For Jira Service Management, you are only charged for the unique agents licensed on the product. Users who only create requests via the Jira Service Management portal aren’t licensed, so you will not be charged for them.
Atlassian Access explained
In general, Atlassian Access offers the following features for the domains that can be claimed:
- Centralized account management in Access or by the chosen IdP
- Single Sign-On (either by the IdP or by Access)
- (de)Provisioning user accounts
- Setting specific password policies
- Two-step authentication (2FA)
- Session cookies
- Audit log and Insight into site access
Now let’s go into more details on the mentioned items.
Centralized account management
If you or anyone in your organization uses any of the Atlassian cloud products (Trello, Jira, or Confluence), they’ll need an account to gain access. This will be an Atlassian account. The user itself has the ability and responsibility to maintain all the details of their account. Name(s), email address, and password. With Atlassian Access, account management is centralized for the organization’s admins.
Single Sign-On
With Atlassian Access, it is possible to connect to your identity provider in order to provide Single Sign-On (SSO) or use Atlassian’s SSO. At the moment the user browses to the Atlassian Cloud, the first thing which will be asked is the email address. If the email address is coming from the email domain where SSO is configured, the user will be redirected to the organization’s identity provider. If the user already provided the credentials before, the user will automatically be redirected to the Atlassian Cloud again and can start working.
Note: this doesn’t work for external users with an email domain outside your organisation, also known as “guest accounts”. They have their own security policies which you do not control. The solution is to create a company account for the external users with the email domain you do control.
(de)Provisioning user accounts
User management usually costs a lot of effort. By aligning user (de)provisioning with your IdP, a lot of this can be automated and centralised. Based on for instance an Active directory group, a user can be granted access to Jira and/or Confluence. Ideally using Identity Access Management (IAM) to dynamically manage groups.
If a user leaves the company, the user can be de-provisioned automatically if the user is disabled or deleted in the company centralised user directory.
Audit Log and Insight in site access
After the accounts are under your control, Atlassian Access gives you insight into what Atlassian cloud sites the users have access to. What you see often is that some users just open new sites and start using them with a team. This gives you the opportunity to start the conversation to consolidate everything, which potentially saves license fees.
The second feature is the Audit Log to monitor access to your site. It allows for several filter parameters, such as (but not limited): user, date, activity. The results can be exported for further analysis.
Best practices
Before you begin, it is very important that all of your users use the correct business email address. If there is a mismatch, a second account for the user will be created. All the historic data is registered on the first account and all future data is on the second account. This can (and probably) will result in unwanted behaviour. This can be the case where organizations use multiple e-mail alias’ for single user objects. Example: where user_x@tmc.nl / users.x@tmc.nl points to the same user. Contact your IdP administrator in your IT organization to resolve these details.
Conclusion
Atlassian Access adds some nice (security) features to the Atlassian Cloud. It makes the life of the administrators easier. Atlassian Access is free for Community and Academic customers, else it costs 4 dollars per user per month for the first 250 users. If you chose to pay annually through an Atlassian partner, the license fees will be less.
Need help?
If you still have any questions regarding Atlassian Access – or any other – Atlassian topic? The certified experts of TMC ALM are happy to help you with all of your questions, requests, or remarks. Feel free to reach out to us via our contact page to start the conversation.