atlassian-admin

Original source / Raw SKILL.md

---
name: "atlassian-admin"
description: Atlassian Administrator for managing and organizing Atlassian products (Jira, Confluence, Bitbucket, Trello), users, permissions, security, integrations, system configuration, and org-wide governance. Use when asked to add users to Jira, change Confluence permissions, configure access control, update admin settings, manage Atlassian groups, set up SSO, install marketplace apps, review security policies, or handle any org-wide Atlassian administration task.
---

# Atlassian Administrator Expert

## Workflows

### User Provisioning
1. Create user account: `admin.atlassian.com > User management > Invite users`
   - REST API: `POST /rest/api/3/user` with `{"emailAddress": "...", "displayName": "...","products": [...]}`
2. Add to appropriate groups: `admin.atlassian.com > User management > Groups > [group] > Add members`
3. Assign product access (Jira, Confluence) via `admin.atlassian.com > Products > [product] > Access`
4. Configure default permissions per group scheme
5. Send welcome email with onboarding info
6. **NOTIFY**: Relevant team leads of new member
7. **VERIFY**: Confirm user appears active at `admin.atlassian.com/o/{orgId}/users` and can log in

### User Deprovisioning
1. **CRITICAL**: Audit user's owned content and tickets
   - Jira: `GET /rest/api/3/search?jql=assignee={accountId}` to find open issues
   - Confluence: `GET /wiki/rest/api/user/{accountId}/property` to find owned spaces/pages
2. Reassign ownership of:
   - Jira projects: `Project settings > People > Change lead`
   - Confluence spaces: `Space settings > Overview > Edit space details`
   - Open issues: bulk reassign via `Jira > Issues > Bulk change`
   - Filters and dashboards: transfer via `User management > [user] > Managed content`
3. Remove from all groups: `admin.atlassian.com > User management > [user] > Groups`
4. Revoke product access
5. Deactivate account: `admin.atlassian.com > User management > [user] > Deactivate`
   - REST API: `DELETE /rest/api/3/user?accountId={accountId}`
6. **VERIFY**: Confirm `GET /rest/api/3/user?accountId={accountId}` returns `"active": false`
7. Document deprovisioning in audit log
8. **USE**: Jira Expert to reassign any remaining issues

### Group Management
1. Create groups: `admin.atlassian.com > User management > Groups > Create group`
   - REST API: `POST /rest/api/3/group` with `{"name": "..."}`
   - Structure by: Teams (engineering, product, sales), Roles (admins, users, viewers), Projects (project-alpha-team)
2. Define group purpose and membership criteria (document in Confluence)
3. Assign default permissions per group
4. Add users to appropriate groups
5. **VERIFY**: Confirm group members via `GET /rest/api/3/group/member?groupName={name}`
6. Regular review and cleanup (quarterly)
7. **USE**: Confluence Expert to document group structure

### Permission Scheme Design
**Jira Permission Schemes** (`Jira Settings > Issues > Permission Schemes`):
- **Public Project**: All users can view, members can edit
- **Team Project**: Team members full access, stakeholders view
- **Restricted Project**: Named individuals only
- **Admin Project**: Admins only

**Confluence Permission Schemes** (`Confluence Admin > Space permissions`):
- **Public Space**: All users view, space members edit
- **Team Space**: Team-specific access
- **Personal Space**: Individual user only
- **Restricted Space**: Named individuals and groups

**Best Practices**:
- Use groups, not individual permissions
- Principle of least privilege
- Regular permission audits
- Document permission rationale

### SSO Configuration
1. Choose identity provider (Okta, Azure AD, Google)
2. Configure SAML settings: `admin.atlassian.com > Security > SAML single sign-on > Add SAML configuration`
   - Set Entity ID, ACS URL, and X.509 certificate from IdP
3. Test SSO with admin account (keep password login active during test)
4. Test with regular user account
5. Enable SSO for organization
6. Enforce SSO: `admin.atlassian.com > Security > Authentication policies > Enforce SSO`
7. Configure SCIM for auto-provisioning: `admin.atlassian.com > User provisioning > [IdP] > Enable SCIM`
8. **VERIFY**: Confirm SSO flow succeeds and audit logs show `saml.login.success` events
9. Monitor SSO logs: `admin.atlassian.com > Security > Audit log > filter: SSO`

### Marketplace App Management
1. Evaluate app need and security: check vendor's security self-assessment at `marketplace.atlassian.com`
2. Review vendor security documentation (penetration test reports, SOC 2)
3. Test app in sandbox environment
4. Purchase or request trial: `admin.atlassian.com > Billing > Manage subscriptions`
5. Install app: `admin.atlassian.com > Products > [product] > Apps > Find new apps`
6. Configure app settings per vendor documentation
7. Train users on app usage
8. **VERIFY**: Confirm app appears in `GET /rest/plugins/1.0/` and health check passes
9. Monitor app performance and usage; review annually for continued need

### System Performance Optimization
**Jira** (`Jira Settings > System`):
- Archive old projects: `Project settings > Archive project`
- Reindex: `Jira Settings > System > Indexing > Full re-index`
- Clean up unused workflows and schemes: `Jira Settings > Issues > Workflows`
- Monitor queue/thread counts: `Jira Settings > System > System info`

**Confluence** (`Confluence Admin > Configuration`):
- Archive inactive spaces: `Space tools > Overview > Archive space`
- Remove orphaned pages: `Confluence Admin > Orphaned pages`
- Monitor index and cache: `Confluence Admin > Cache management`

**Monitoring Cadence**:
- Daily health checks: `admin.atlassian.com > Products > [product] > Health`
- Weekly performance reports
- Monthly capacity planning
- Quarterly optimization reviews

### Integration Setup
**Common Integrations**:
- **Slack**: `Jira Settings > Apps > Slack integration` — notifications for Jira and Confluence
- **GitHub/Bitbucket**: `Jira Settings > Apps > DVCS accounts` — link commits to issues
- **Microsoft Teams**: `admin.atlassian.com > Apps > Microsoft Teams`
- **Zoom**: Available via Marketplace app `zoom-for-jira`
- **Salesforce**: Via Marketplace app `salesforce-connector`

**Configuration Steps**:
1. Review integration requirements and OAuth scopes needed
2. Configure OAuth or API authentication (store tokens in secure vault, not plain text)
3. Map fields and data flows
4. Test integration thoroughly with sample data
5. Document configuration in Confluence runbook
6. Train users on integration features
7. **VERIFY**: Confirm webhook delivery via `Jira Settings > System > WebHooks > [webhook] > Test`
8. Monitor integration health via app-specific dashboards

## Global Configuration

### Jira Global Settings (`Jira Settings > Issues`)
**Issue Types**: Create and manage org-wide issue types; define issue type schemes; standardize across projects
**Workflows**: Create global workflow templates via `Workflows > Add workflow`; manage workflow schemes
**Custom Fields**: Create org-wide custom fields at `Custom fields > Add custom field`; manage field configurations and context
**Notification Schemes**: Configure default notification rules; create custom notification schemes; manage email templates

### Confluence Global Settings (`Confluence Admin`)
**Blueprints & Templates**: Create org-wide templates at `Configuration > Global Templates and Blueprints`; manage blueprint availability
**Themes & Appearance**: Configure org branding at `Configuration > Themes`; customize logos and colors
**Macros**: Enable/disable macros at `Configuration > Macro usage`; configure macro permissions

### Security Settings (`admin.atlassian.com > Security`)
**Authentication**:
- Password policies: `Security > Authentication policies > Edit`
- Session timeout: `Security > Session duration`
- API token management: `Security > API token controls`

**Data Residency**: Configure data location at `admin.atlassian.com > Data residency > Pin products`

**Audit Logs**: `admin.atlassian.com > Security > Audit log`
- Enable comprehensive logging; export via `GET /admin/v1/orgs/{orgId}/audit-log`
- Retain per policy (minimum 7 years for SOC 2/GDPR compliance)

## Governance & Policies

### Access Governance
- Quarterly review of all user access: `admin.atlassian.com > User management > Export users`
- Verify user roles and permissions; remove inactive users
- Limit org admins to 2–3 individuals; audit admin actions monthly
- Require MFA for all admins: `Security > Authentication policies > Require 2FA`

### Naming Conventions
**Jira**: Project keys 3–4 uppercase letters (PROJ, WEB); issue types Title Case; custom fields prefixed (CF: Story Points)
**Confluence**: Spaces use Team/Project prefix (TEAM: Engineering); pages descriptive and consistent; labels lowercase, hyphen-separated

### Change Management
**Major Changes**: Announce 2 weeks in advance; test in sandbox; create rollback plan; execute during off-peak; post-implementation review
**Minor Changes**: Announce 48 hours in advance; document in change log; monitor for issues

## Disaster Recovery

### Backup Strategy
**Jira & Confluence**: Daily automated backups; weekly manual verification; 30-day retention; offsite storage
- Trigger manual backup: `Jira Settings > System > Backup system` / `Confluence Admin > Backup and Restore`

**Recovery Testing**: Quarterly recovery drills; document procedures; measure RTO and RPO

### Incident Response
**Severity Levels**:
- **P1 (Critical)**: System down — respond in 15 min
- **P2 (High)**: Major feature broken — respond in 1 hour
- **P3 (Medium)**: Minor issue — respond in 4 hours
- **P4 (Low)**: Enhancement — respond in 24 hours

**Response Steps**:
1. Acknowledge and log incident
2. Assess impact and severity
3. Communicate status to stakeholders
4. Investigate root cause (check `admin.atlassian.com > Products > [product] > Health` and Atlassian Status Page)
5. Implement fix
6. **VERIFY**: Confirm resolution via affected user test and health check
7. Post-mortem and lessons learned

## Metrics & Reporting

**System Health**: Active users (daily/weekly/monthly), storage utilization, API rate limits, integration health, response times
- Export via: `GET /admin/v1/orgs/{orgId}/users` for user counts; product-specific analytics dashboards

**Usage Analytics**: Most active projects/spaces, content creation trends, user engagement, search patterns
**Compliance Metrics**: User access review completion, security audit findings, failed login attempts, API token usage

## Decision Framework & Handoff Protocols

**Escalate to Atlassian Support**: System outage, performance degradation org-wide, data loss/corruption, license/billing issues, complex migrations

**Delegate to Product Experts**:
- Jira Expert: Project-specific configuration
- Confluence Expert: Space-specific settings
- Scrum Master: Team workflow needs
- Senior PM: Strategic planning input

**Involve Security Team**: Security incidents, unusual access patterns, compliance audit preparation, new integration security review

**TO Jira Expert**: New global workflows, custom fields, permission schemes, or automation capabilities available
**TO Confluence Expert**: New global templates, space permission schemes, blueprints, or macros configured
**TO Senior PM**: Usage analytics, capacity planning insights, cost optimization, security compliance status
**TO Scrum Master**: Team access provisioned, board configuration options, automation rules, integrations enabled
**FROM All Roles**: User access requests, permission changes, app installation requests, configuration support, incident reports

## Atlassian MCP Integration

**Primary Tools**: Jira MCP, Confluence MCP

**Admin Operations**:
- User and group management via API
- Bulk permission updates
- Configuration audits
- Usage reporting
- System health monitoring
- Automated compliance checks

**Integration Points**:
- Support all roles with admin capabilities
- Enable Jira Expert with global configurations
- Provide Confluence Expert with template management
- Ensure Senior PM has visibility into org health
- Enable Scrum Master with team provisioning


---

## Skill Companion Files

> Additional files collected from the skill directory layout.

### assets/permission_scheme_template.json

```json
{
  "permissionScheme": {
    "name": "Standard Project Permission Scheme",
    "description": "Default permission scheme for standard projects. Assigns permissions based on project roles.",
    "version": "1.0",
    "lastUpdated": "YYYY-MM-DD",
    "owner": "IT Admin Team"
  },
  "roles": {
    "projectAdmin": {
      "description": "Full project administration including configuration and user management",
      "typicalGroups": ["project-leads", "engineering-managers"]
    },
    "developer": {
      "description": "Create and manage issues, transitions, and attachments",
      "typicalGroups": ["dept-engineering", "dept-product"]
    },
    "user": {
      "description": "View issues, add comments, and create basic issues",
      "typicalGroups": ["org-all-employees"]
    },
    "viewer": {
      "description": "Read-only access to project issues and boards",
      "typicalGroups": ["stakeholders", "external-contractors"]
    }
  },
  "permissions": {
    "project": {
      "ADMINISTER_PROJECTS": {
        "description": "Manage project settings, roles, and permissions",
        "grantedTo": ["projectAdmin"]
      },
      "BROWSE_PROJECTS": {
        "description": "View the project and its issues",
        "grantedTo": ["projectAdmin", "developer", "user", "viewer"]
      },
      "VIEW_DEV_TOOLS": {
        "description": "View development panel (commits, branches, PRs)",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "VIEW_READONLY_WORKFLOW": {
        "description": "View read-only workflow",
        "grantedTo": ["projectAdmin", "developer", "user", "viewer"]
      }
    },
    "issues": {
      "CREATE_ISSUES": {
        "description": "Create new issues in the project",
        "grantedTo": ["projectAdmin", "developer", "user"]
      },
      "EDIT_ISSUES": {
        "description": "Edit issue fields",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "DELETE_ISSUES": {
        "description": "Delete issues permanently",
        "grantedTo": ["projectAdmin"]
      },
      "ASSIGN_ISSUES": {
        "description": "Assign issues to team members",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "ASSIGNABLE_USER": {
        "description": "Be assigned to issues",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "CLOSE_ISSUES": {
        "description": "Close/resolve issues",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "RESOLVE_ISSUES": {
        "description": "Set issue resolution",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "TRANSITION_ISSUES": {
        "description": "Transition issues through workflow",
        "grantedTo": ["projectAdmin", "developer", "user"]
      },
      "LINK_ISSUES": {
        "description": "Create and remove issue links",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "MOVE_ISSUES": {
        "description": "Move issues between projects",
        "grantedTo": ["projectAdmin"]
      },
      "SCHEDULE_ISSUES": {
        "description": "Set due dates on issues",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "SET_ISSUE_SECURITY": {
        "description": "Set security level on issues",
        "grantedTo": ["projectAdmin"]
      }
    },
    "comments": {
      "ADD_COMMENTS": {
        "description": "Add comments to issues",
        "grantedTo": ["projectAdmin", "developer", "user"]
      },
      "EDIT_ALL_COMMENTS": {
        "description": "Edit any comment",
        "grantedTo": ["projectAdmin"]
      },
      "EDIT_OWN_COMMENTS": {
        "description": "Edit own comments",
        "grantedTo": ["projectAdmin", "developer", "user"]
      },
      "DELETE_ALL_COMMENTS": {
        "description": "Delete any comment",
        "grantedTo": ["projectAdmin"]
      },
      "DELETE_OWN_COMMENTS": {
        "description": "Delete own comments",
        "grantedTo": ["projectAdmin", "developer", "user"]
      }
    },
    "attachments": {
      "CREATE_ATTACHMENTS": {
        "description": "Attach files to issues",
        "grantedTo": ["projectAdmin", "developer", "user"]
      },
      "DELETE_ALL_ATTACHMENTS": {
        "description": "Delete any attachment",
        "grantedTo": ["projectAdmin"]
      },
      "DELETE_OWN_ATTACHMENTS": {
        "description": "Delete own attachments",
        "grantedTo": ["projectAdmin", "developer", "user"]
      }
    },
    "worklogs": {
      "WORK_ON_ISSUES": {
        "description": "Log work on issues",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "EDIT_ALL_WORKLOGS": {
        "description": "Edit any worklog",
        "grantedTo": ["projectAdmin"]
      },
      "EDIT_OWN_WORKLOGS": {
        "description": "Edit own worklogs",
        "grantedTo": ["projectAdmin", "developer"]
      },
      "DELETE_ALL_WORKLOGS": {
        "description": "Delete any worklog",
        "grantedTo": ["projectAdmin"]
      },
      "DELETE_OWN_WORKLOGS": {
        "description": "Delete own worklogs",
        "grantedTo": ["projectAdmin", "developer"]
      }
    }
  },
  "projectMappings": [
    {
      "projectKey": "EXAMPLE",
      "projectName": "Example Project",
      "scheme": "Standard Project Permission Scheme",
      "roleAssignments": {
        "projectAdmin": ["project-leads"],
        "developer": ["team-example-devs"],
        "user": ["org-all-employees"],
        "viewer": ["stakeholders-example"]
      }
    }
  ],
  "notes": {
    "usage": "Copy this template and customize role assignments per project. Use group names that match your Atlassian groups.",
    "review": "Review permission scheme assignments quarterly as part of access review.",
    "changes": "Any changes to permission schemes should be documented and approved by IT Admin."
  }
}

```

### references/security-hardening-guide.md

```markdown
# Atlassian Cloud Security Hardening Guide

## Overview

This guide provides a comprehensive security hardening checklist for Atlassian Cloud products (Jira, Confluence, Bitbucket). It covers identity management, access controls, data protection, and monitoring practices aligned with enterprise security standards.

## Identity & Authentication

### SSO / SAML Setup

**Implementation Steps:**
1. Verify your domain in Atlassian Admin (admin.atlassian.com)
2. Claim all company email accounts
3. Configure SAML SSO with your identity provider (Okta, Azure AD, Google Workspace)
4. Set authentication policy to enforce SSO for all managed accounts
5. Test with a pilot group before full rollout
6. Disable password-based login for managed accounts

**Configuration Checklist:**
- [ ] Domain verified and accounts claimed
- [ ] SAML IdP configured with correct entity ID and SSO URL
- [ ] Attribute mapping: email, displayName, groups
- [ ] Single Logout (SLO) configured
- [ ] Authentication policy enforcing SSO
- [ ] Fallback access configured for emergency admin accounts
- [ ] SCIM provisioning enabled for automatic user sync

### Two-Factor Authentication (2FA)

**Enforcement Policy:**
- [ ] 2FA required for all managed accounts
- [ ] Enforce via authentication policy (not just recommended)
- [ ] Hardware security keys (FIDO2/WebAuthn) preferred for admin accounts
- [ ] TOTP (authenticator app) as minimum for all users
- [ ] SMS-based 2FA disabled (SIM swap vulnerability)
- [ ] Recovery codes generated and stored securely

### Session Management
- [ ] Session timeout set to 8 hours of inactivity (maximum)
- [ ] Absolute session timeout: 24 hours
- [ ] Require re-authentication for sensitive operations
- [ ] Monitor concurrent sessions per user
- [ ] Enforce session termination on password change

## Access Controls

### IP Allowlisting

**Configuration:**
- [ ] Enable IP allowlisting for organization
- [ ] Add corporate office IP ranges
- [ ] Add VPN exit node IP addresses
- [ ] Add CI/CD server IPs for API access
- [ ] Test access from all approved locations
- [ ] Document approved IP ranges with justification
- [ ] Review IP allowlist quarterly

**Exceptions:**
- Mobile access may require VPN or MDM solution
- Remote workers need VPN or conditional access policies
- API integrations need stable IP ranges

### API Token Management

**Policies:**
- [ ] Inventory all API tokens in use
- [ ] Set maximum token lifetime (90 days recommended)
- [ ] Require token rotation on schedule
- [ ] Use service accounts for integrations (not personal tokens)
- [ ] Monitor API token usage patterns
- [ ] Revoke tokens immediately on employee departure
- [ ] Document purpose and owner for each token

**Best Practices:**
- Use OAuth 2.0 (3LO) for user-context integrations
- Use API tokens only for service-to-service
- Store tokens in secrets management (never in code)
- Implement least-privilege scopes for OAuth apps

### Permission Model
- [ ] Review global permissions quarterly
- [ ] Use groups for permission assignment (not individual users)
- [ ] Implement role-based access for Jira projects
- [ ] Restrict Confluence space admin to designated owners
- [ ] Limit Jira system admin to 2-3 people
- [ ] Audit "anyone" or "logged in users" permissions
- [ ] Remove direct user permissions where groups exist

## Audit & Monitoring

### Audit Log Configuration

**What to Monitor:**
- User authentication events (login, logout, failed attempts)
- Permission changes (project, space, global)
- User account changes (creation, deactivation, group changes)
- API token creation and revocation
- App installations and updates
- Data export operations
- Admin configuration changes

**Setup Steps:**
- [ ] Enable organization audit log
- [ ] Configure audit log retention (minimum 1 year)
- [ ] Set up automated export to SIEM (Splunk, Datadog, etc.)
- [ ] Create alerts for suspicious patterns
- [ ] Schedule monthly audit log review
- [ ] Document incident response procedures for alerts

### Alerting Rules

**Critical Alerts (Immediate Response):**
- Multiple failed login attempts (>5 in 10 minutes)
- Admin permission grants to unexpected users
- API token created by non-service accounts
- Bulk data export or deletion
- New third-party app installed with broad permissions

**Warning Alerts (Same-Day Review):**
- New admin users added
- Permission scheme changes
- Authentication policy modifications
- IP allowlist changes
- User deactivation (verify it is expected)

## Data Protection

### Data Residency
- [ ] Configure data residency realm (US, EU, AU, etc.)
- [ ] Verify product data pinned to selected region
- [ ] Document data residency for compliance audits
- [ ] Review data residency coverage (some metadata may be global)
- [ ] Monitor for new residency options from Atlassian

### Encryption
- [ ] Verify encryption at rest (AES-256, managed by Atlassian)
- [ ] Verify encryption in transit (TLS 1.2+)
- [ ] Review Atlassian's encryption key management practices
- [ ] Consider BYOK (Bring Your Own Key) for Atlassian Guard Premium

### Data Loss Prevention
- [ ] Configure content restrictions for sensitive pages/issues
- [ ] Implement classification labels (public, internal, confidential)
- [ ] Restrict file attachment types if needed
- [ ] Monitor bulk exports and downloads
- [ ] Set up DLP rules for sensitive data patterns (PII, credentials)

## Mobile Device Management

### Mobile Access Controls
- [ ] Require MDM enrollment for mobile Atlassian apps
- [ ] Enforce device encryption
- [ ] Require screen lock with biometrics or PIN
- [ ] Enable remote wipe capability
- [ ] Block rooted/jailbroken devices
- [ ] Restrict copy/paste to managed apps
- [ ] Set app-level PIN for Atlassian apps

### Mobile Policies
- [ ] Define approved mobile devices/OS versions
- [ ] Enforce automatic app updates
- [ ] Configure offline data access limits
- [ ] Set maximum offline cache duration
- [ ] Review mobile access logs monthly

## Third-Party App Security

### App Review Process
- [ ] Maintain approved app list (whitelist)
- [ ] Review app permissions before installation
- [ ] Verify app is Atlassian Marketplace certified
- [ ] Check app vendor security certifications
- [ ] Assess data access scope (read-only vs read-write)
- [ ] Review app privacy policy
- [ ] Document app owner and business justification

### App Governance
- [ ] Audit installed apps quarterly
- [ ] Remove unused apps (no usage in 90 days)
- [ ] Monitor app permission changes
- [ ] Restrict app installation to admins only
- [ ] Review Atlassian Guard app access policies
- [ ] Set up alerts for new app installations

## Compliance Documentation

### Required Documentation
- [ ] Security policy for Atlassian Cloud usage
- [ ] Access control matrix (roles, permissions, justification)
- [ ] Incident response plan for Atlassian security events
- [ ] Data classification policy applied to Atlassian content
- [ ] Third-party app risk assessments
- [ ] Annual security review report

### Compliance Frameworks
- **SOC 2:** Map Atlassian controls to Trust Service Criteria
- **ISO 27001:** Align with Annex A controls for cloud services
- **GDPR:** Configure data residency, right to deletion, DPAs
- **HIPAA:** Review BAA availability, encryption, access controls

## Hardening Schedule

| Task | Frequency | Owner |
|------|-----------|-------|
| Permission audit | Quarterly | IT Admin |
| API token rotation | Every 90 days | Integration owners |
| App review | Quarterly | IT Admin |
| Audit log review | Monthly | Security team |
| IP allowlist review | Quarterly | IT Admin |
| Authentication policy review | Semi-annually | Security team |
| Full security assessment | Annually | Security team |
| User access review | Quarterly | Managers + IT Admin |
| Data residency verification | Annually | Compliance |
| Mobile device audit | Quarterly | IT Admin |

```

### references/user-provisioning-checklist.md

```markdown
# User Provisioning & Lifecycle Management Checklist

## Overview

This checklist covers the complete user lifecycle in Atlassian Cloud products, from onboarding through offboarding. Consistent provisioning ensures security, compliance, and a smooth user experience.

## Onboarding Steps

### Pre-Provisioning
- [ ] Receive approved access request (ticket or HR system trigger)
- [ ] Verify employee record in HR system
- [ ] Determine role-based access level (see Role Templates below)
- [ ] Identify required Atlassian products (Jira, Confluence, Bitbucket)
- [ ] Identify required project/space access

### Account Creation
- [ ] User account auto-provisioned via SCIM (preferred) or manually created
- [ ] Email domain matches verified organization domain
- [ ] SSO authentication verified (user can log in via IdP)
- [ ] 2FA enrollment confirmed
- [ ] Correct product access assigned (Jira, Confluence, Bitbucket)

### Group Membership
- [ ] Add to organization-level groups (e.g., `all-employees`)
- [ ] Add to department group (e.g., `engineering`, `product`, `marketing`)
- [ ] Add to team-specific groups (e.g., `team-platform`, `team-mobile`)
- [ ] Add to project groups as needed (e.g., `project-alpha-members`)
- [ ] Verify group membership grants correct permissions

### Product Configuration
- [ ] **Jira:** Add to correct project roles (Developer, User, Admin)
- [ ] **Jira:** Assign to correct board(s)
- [ ] **Jira:** Set default dashboard if applicable
- [ ] **Confluence:** Grant access to relevant spaces
- [ ] **Confluence:** Add to space groups with appropriate permission level
- [ ] **Bitbucket:** Grant repository access per team
- [ ] **Bitbucket:** Configure branch permissions

### Welcome & Training
- [ ] Send welcome email with access details and key links
- [ ] Share Confluence onboarding page (getting started guide)
- [ ] Assign onboarding buddy for Atlassian tool questions
- [ ] Schedule optional training session for new users
- [ ] Provide link to internal Atlassian usage guidelines

## Role-Based Access Templates

### Developer
- **Jira:** Project Developer role (create, edit, transition issues)
- **Confluence:** Team space editor, documentation spaces viewer
- **Bitbucket:** Repository write access for team repos

### Product Manager
- **Jira:** Project Admin role (manage boards, workflows, components)
- **Confluence:** Product spaces editor, all team spaces viewer
- **Bitbucket:** Repository read access (optional)

### Designer
- **Jira:** Project User role (view, comment, transition)
- **Confluence:** Design space editor, product spaces editor
- **Bitbucket:** No access (unless needed)

### Engineering Manager
- **Jira:** Project Admin for managed projects, viewer for others
- **Confluence:** Team space admin, all spaces viewer
- **Bitbucket:** Repository admin for team repos

### Executive / Stakeholder
- **Jira:** Viewer role on strategic projects, dashboard access
- **Confluence:** Viewer on relevant spaces
- **Bitbucket:** No access

### Contractor / External
- **Jira:** Project User role, limited to specific projects
- **Confluence:** Viewer on specific spaces only (no edit)
- **Bitbucket:** Repository read access, specific repos only
- **Additional:** Set account expiration date, restrict IP access

## Group Membership Standards

### Naming Convention
```
org-{company}          # Organization-wide groups
dept-{department}      # Department groups
team-{team-name}       # Team-specific groups
project-{project}      # Project-scoped groups
role-{role}            # Role-based groups (role-admin, role-viewer)
```

### Standard Groups
| Group | Purpose | Products |
|-------|---------|----------|
| `org-all-employees` | All full-time employees | Jira, Confluence |
| `dept-engineering` | All engineers | Jira, Confluence, Bitbucket |
| `dept-product` | All product team | Jira, Confluence |
| `dept-marketing` | All marketing team | Confluence |
| `role-jira-admins` | Jira administrators | Jira |
| `role-confluence-admins` | Confluence administrators | Confluence |
| `role-org-admins` | Organization administrators | All |

## Offboarding Procedure

### Immediate Actions (Day of Departure)
- [ ] Deactivate user account in Atlassian (or via IdP/SCIM)
- [ ] Revoke all API tokens associated with the user
- [ ] Revoke all OAuth app authorizations
- [ ] Transfer ownership of critical Confluence pages
- [ ] Reassign Jira issues (open/in-progress items)
- [ ] Remove from all groups
- [ ] Document access removal in offboarding ticket

### Within 24 Hours
- [ ] Verify account is fully deactivated (cannot log in)
- [ ] Check for shared credentials or service accounts
- [ ] Review audit log for recent activity
- [ ] Transfer Confluence space ownership if applicable
- [ ] Update Jira project leads/component leads if applicable
- [ ] Remove from any Atlassian Marketplace vendor accounts

### Within 7 Days
- [ ] Verify no lingering sessions or cached access
- [ ] Review integrations the user may have set up
- [ ] Check for automation rules owned by the user
- [ ] Update team dashboards and filters
- [ ] Confirm with manager that all transfers are complete

### Data Retention
- [ ] User content (pages, issues, comments) retained per policy
- [ ] Personal spaces archived or transferred
- [ ] Account marked as deactivated (not deleted) for audit trail
- [ ] Data deletion request processed if required (GDPR)

## Quarterly Access Reviews

### Review Process
1. Generate user access report from Atlassian Admin
2. Distribute to managers for team verification
3. Managers confirm or flag each user's access level
4. IT Admin processes approved changes
5. Document review completion for compliance

### Review Checklist
- [ ] All active accounts match current employee list
- [ ] No accounts for departed employees
- [ ] Group memberships align with current roles
- [ ] Admin access limited to approved administrators
- [ ] External/contractor accounts have valid expiration dates
- [ ] Service accounts documented with current owners
- [ ] Unused accounts (no login in 90 days) flagged for review

### Compliance Documentation
- [ ] Access review completion date recorded
- [ ] Manager sign-off captured (email or ticket)
- [ ] Changes made during review documented
- [ ] Exceptions documented with justification and approval
- [ ] Report filed for audit purposes
- [ ] Next review date scheduled

## Automation Opportunities

### SCIM Provisioning
- Automatically create/deactivate accounts based on IdP changes
- Sync group membership from IdP groups
- Reduce manual provisioning errors
- Ensure immediate deactivation on termination

### Workflow Automation
- Trigger onboarding checklist from HR system event
- Auto-assign to groups based on department/role attributes
- Send welcome messages via Confluence automation
- Schedule access reviews via Jira recurring tickets

### Monitoring
- Alert on accounts without 2FA after 7 days
- Alert on admin group changes
- Weekly report of new and deactivated accounts
- Monthly stale account report (no login in 90 days)

```

### scripts/permission_audit_tool.py

```python
#!/usr/bin/env python3
"""
Permission Audit Tool

Analyzes Atlassian permission schemes for security issues. Checks for
over-permissioned groups, direct user permissions, missing restrictions on
sensitive actions, inconsistencies across projects, and compliance gaps.

Usage:
    python permission_audit_tool.py permissions.json
    python permission_audit_tool.py permissions.json --format json
"""

import argparse
import json
import sys
from typing import Any, Dict, List, Optional, Set


# ---------------------------------------------------------------------------
# Audit Configuration
# ---------------------------------------------------------------------------

SENSITIVE_PERMISSIONS = {
    "administer_project",
    "administer_jira",
    "delete_issues",
    "delete_all_comments",
    "delete_all_attachments",
    "manage_watchers",
    "modify_reporter",
    "bulk_change",
    "system_admin",
    "manage_group_filter_subscriptions",
}

RECOMMENDED_GROUP_ONLY_PERMISSIONS = {
    "browse_projects",
    "create_issues",
    "edit_issues",
    "transition_issues",
    "assign_issues",
    "resolve_issues",
    "close_issues",
    "add_comments",
    "edit_all_comments",
}

SEVERITY_WEIGHTS = {
    "critical": 25,
    "high": 15,
    "medium": 8,
    "low": 3,
    "info": 1,
}


# ---------------------------------------------------------------------------
# Audit Checks
# ---------------------------------------------------------------------------

def check_over_permissioned_groups(
    schemes: List[Dict[str, Any]],
) -> List[Dict[str, str]]:
    """Check for groups with overly broad admin access."""
    findings = []

    for scheme in schemes:
        scheme_name = scheme.get("name", "Unknown Scheme")
        grants = scheme.get("grants", [])

        group_permissions = {}
        for grant in grants:
            group = grant.get("group", "")
            permission = grant.get("permission", "").lower()
            if group:
                if group not in group_permissions:
                    group_permissions[group] = set()
                group_permissions[group].add(permission)

        for group, perms in group_permissions.items():
            admin_perms = perms & SENSITIVE_PERMISSIONS
            if len(admin_perms) >= 3:
                findings.append({
                    "rule": "over_permissioned_group",
                    "severity": "high",
                    "scheme": scheme_name,
                    "group": group,
                    "message": f"Group '{group}' has {len(admin_perms)} sensitive permissions "
                               f"in scheme '{scheme_name}': {', '.join(sorted(admin_perms))}. "
                               f"Review if all are necessary.",
                })

            if "system_admin" in perms or "administer_jira" in perms:
                findings.append({
                    "rule": "admin_access_warning",
                    "severity": "critical",
                    "scheme": scheme_name,
                    "group": group,
                    "message": f"Group '{group}' has system/Jira admin access in '{scheme_name}'. "
                               f"Ensure this is strictly necessary and membership is limited.",
                })

    return findings


def check_direct_user_permissions(
    schemes: List[Dict[str, Any]],
) -> List[Dict[str, str]]:
    """Check for permissions granted directly to users instead of groups."""
    findings = []

    for scheme in schemes:
        scheme_name = scheme.get("name", "Unknown Scheme")
        grants = scheme.get("grants", [])

        for grant in grants:
            user = grant.get("user", "")
            permission = grant.get("permission", "")

            if user and not grant.get("group"):
                severity = "high" if permission.lower() in SENSITIVE_PERMISSIONS else "medium"
                findings.append({
                    "rule": "direct_user_permission",
                    "severity": severity,
                    "scheme": scheme_name,
                    "user": user,
                    "message": f"User '{user}' has direct permission '{permission}' in '{scheme_name}'. "
                               f"Use groups instead for maintainability and audit clarity.",
                })

    return findings


def check_missing_restrictions(
    schemes: List[Dict[str, Any]],
) -> List[Dict[str, str]]:
    """Check for missing restrictions on sensitive actions."""
    findings = []

    for scheme in schemes:
        scheme_name = scheme.get("name", "Unknown Scheme")
        grants = scheme.get("grants", [])

        granted_permissions = set()
        for grant in grants:
            granted_permissions.add(grant.get("permission", "").lower())

        # Check if delete permissions are unrestricted
        delete_perms = {"delete_issues", "delete_all_comments", "delete_all_attachments"}
        unrestricted_deletes = delete_perms & granted_permissions

        for grant in grants:
            perm = grant.get("permission", "").lower()
            group = grant.get("group", "")
            if perm in delete_perms and group:
                # Check if granted to broad groups
                broad_groups = {"users", "everyone", "all-users", "jira-users", "jira-software-users"}
                if group.lower() in broad_groups:
                    findings.append({
                        "rule": "unrestricted_delete",
                        "severity": "critical",
                        "scheme": scheme_name,
                        "message": f"Delete permission '{perm}' granted to broad group '{group}' "
                                   f"in '{scheme_name}'. Restrict to admins or leads only.",
                    })

        # Check if admin permissions exist
        admin_perms = {"administer_project", "administer_jira", "system_admin"}
        if not (admin_perms & granted_permissions):
            findings.append({
                "rule": "no_admin_defined",
                "severity": "medium",
                "scheme": scheme_name,
                "message": f"No explicit admin permission defined in '{scheme_name}'. "
                           f"Ensure project administration is properly assigned.",
            })

    return findings


def check_scheme_consistency(
    schemes: List[Dict[str, Any]],
) -> List[Dict[str, str]]:
    """Check for inconsistencies across permission schemes."""
    findings = []

    if len(schemes) < 2:
        return findings

    # Compare permission sets across schemes
    scheme_perms = {}
    for scheme in schemes:
        name = scheme.get("name", "Unknown")
        perms = set()
        for grant in scheme.get("grants", []):
            perms.add(grant.get("permission", "").lower())
        scheme_perms[name] = perms

    # Find schemes with significantly different permission sets
    all_perms = set()
    for perms in scheme_perms.values():
        all_perms |= perms

    scheme_names = list(scheme_perms.keys())
    for i in range(len(scheme_names)):
        for j in range(i + 1, len(scheme_names)):
            name_a = scheme_names[i]
            name_b = scheme_names[j]
            diff = scheme_perms[name_a].symmetric_difference(scheme_perms[name_b])
            if len(diff) > 5:
                findings.append({
                    "rule": "scheme_inconsistency",
                    "severity": "medium",
                    "message": f"Schemes '{name_a}' and '{name_b}' differ significantly "
                               f"({len(diff)} different permissions). Review for intentional differences.",
                })

    return findings


def check_compliance_gaps(
    schemes: List[Dict[str, Any]],
) -> List[Dict[str, str]]:
    """Check for common compliance gaps."""
    findings = []

    for scheme in schemes:
        scheme_name = scheme.get("name", "Unknown Scheme")
        grants = scheme.get("grants", [])

        groups_used = set()
        users_used = set()
        for grant in grants:
            if grant.get("group"):
                groups_used.add(grant["group"])
            if grant.get("user"):
                users_used.add(grant["user"])

        # Check for separation of duties
        admin_groups = set()
        for grant in grants:
            if grant.get("permission", "").lower() in SENSITIVE_PERMISSIONS and grant.get("group"):
                admin_groups.add(grant["group"])

        if len(admin_groups) == 1 and len(groups_used) > 1:
            findings.append({
                "rule": "separation_of_duties",
                "severity": "info",
                "scheme": scheme_name,
                "message": f"Only one group ('{next(iter(admin_groups))}') holds all sensitive permissions "
                           f"in '{scheme_name}'. Consider separating duties across multiple groups.",
            })

        # Check user count
        if len(users_used) > 5:
            findings.append({
                "rule": "too_many_direct_users",
                "severity": "high",
                "scheme": scheme_name,
                "message": f"Scheme '{scheme_name}' has {len(users_used)} direct user grants. "
                           f"Migrate to group-based permissions for better governance.",
            })

    return findings


# ---------------------------------------------------------------------------
# Main Analysis
# ---------------------------------------------------------------------------

def audit_permissions(data: Dict[str, Any]) -> Dict[str, Any]:
    """Run full permission audit."""
    schemes = data.get("schemes", [])

    if not schemes:
        # Try treating the entire input as a single scheme
        if data.get("grants") or data.get("name"):
            schemes = [data]
        else:
            return {
                "risk_score": 0,
                "grade": "invalid",
                "error": "No permission schemes found in input",
                "findings": [],
                "summary": {},
            }

    all_findings = []
    all_findings.extend(check_over_permissioned_groups(schemes))
    all_findings.extend(check_direct_user_permissions(schemes))
    all_findings.extend(check_missing_restrictions(schemes))
    all_findings.extend(check_scheme_consistency(schemes))
    all_findings.extend(check_compliance_gaps(schemes))

    # Calculate risk score (higher = more risk)
    summary = {"critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0}
    total_penalty = 0
    for finding in all_findings:
        severity = finding["severity"]
        summary[severity] = summary.get(severity, 0) + 1
        total_penalty += SEVERITY_WEIGHTS.get(severity, 0)

    risk_score = min(100, total_penalty)
    health_score = max(0, 100 - risk_score)

    if health_score >= 85:
        grade = "excellent"
    elif health_score >= 70:
        grade = "good"
    elif health_score >= 50:
        grade = "fair"
    else:
        grade = "poor"

    # Generate remediation recommendations
    remediations = _generate_remediations(all_findings)

    return {
        "risk_score": risk_score,
        "health_score": health_score,
        "grade": grade,
        "schemes_analyzed": len(schemes),
        "findings": all_findings,
        "summary": summary,
        "remediations": remediations,
    }


def _generate_remediations(findings: List[Dict[str, str]]) -> List[str]:
    """Generate remediation recommendations."""
    remediations = []
    rules_seen = set()

    for finding in findings:
        rule = finding["rule"]
        if rule in rules_seen:
            continue
        rules_seen.add(rule)

        if rule == "over_permissioned_group":
            remediations.append("Review and reduce sensitive permissions for over-permissioned groups. Apply principle of least privilege.")
        elif rule == "admin_access_warning":
            remediations.append("Audit admin group membership. Limit system/Jira admin access to essential personnel only.")
        elif rule == "direct_user_permission":
            remediations.append("Migrate direct user permissions to group-based grants. Create functional groups for common permission sets.")
        elif rule == "unrestricted_delete":
            remediations.append("Restrict delete permissions to project admins or leads. Remove from broad user groups.")
        elif rule == "scheme_inconsistency":
            remediations.append("Standardize permission schemes across projects. Document intentional differences.")
        elif rule == "too_many_direct_users":
            remediations.append("Create groups for users with direct permissions. This simplifies onboarding/offboarding.")
        elif rule == "separation_of_duties":
            remediations.append("Consider splitting admin responsibilities across multiple groups for better separation of duties.")
        elif rule == "no_admin_defined":
            remediations.append("Define explicit admin permissions in each scheme to ensure proper project governance.")

    return remediations


# ---------------------------------------------------------------------------
# Output Formatting
# ---------------------------------------------------------------------------

def format_text_output(result: Dict[str, Any]) -> str:
    """Format results as readable text report."""
    lines = []
    lines.append("=" * 60)
    lines.append("PERMISSION AUDIT REPORT")
    lines.append("=" * 60)
    lines.append("")

    if "error" in result:
        lines.append(f"ERROR: {result['error']}")
        return "\n".join(lines)

    lines.append("AUDIT SUMMARY")
    lines.append("-" * 30)
    lines.append(f"Risk Score: {result['risk_score']}/100 (lower is better)")
    lines.append(f"Health Score: {result['health_score']}/100")
    lines.append(f"Grade: {result['grade'].title()}")
    lines.append(f"Schemes Analyzed: {result['schemes_analyzed']}")
    lines.append("")

    summary = result.get("summary", {})
    lines.append("FINDINGS BY SEVERITY")
    lines.append("-" * 30)
    lines.append(f"Critical: {summary.get('critical', 0)}")
    lines.append(f"High: {summary.get('high', 0)}")
    lines.append(f"Medium: {summary.get('medium', 0)}")
    lines.append(f"Low: {summary.get('low', 0)}")
    lines.append(f"Info: {summary.get('info', 0)}")
    lines.append("")

    findings = result.get("findings", [])
    if findings:
        lines.append("DETAILED FINDINGS")
        lines.append("-" * 30)
        for i, finding in enumerate(findings, 1):
            severity = finding["severity"].upper()
            lines.append(f"{i}. [{severity}] {finding['message']}")
            lines.append(f"   Rule: {finding['rule']}")
            if finding.get("scheme"):
                lines.append(f"   Scheme: {finding['scheme']}")
            lines.append("")

    remediations = result.get("remediations", [])
    if remediations:
        lines.append("REMEDIATION RECOMMENDATIONS")
        lines.append("-" * 30)
        for i, rem in enumerate(remediations, 1):
            lines.append(f"{i}. {rem}")

    return "\n".join(lines)


def format_json_output(result: Dict[str, Any]) -> Dict[str, Any]:
    """Format results as JSON."""
    return result


# ---------------------------------------------------------------------------
# CLI Interface
# ---------------------------------------------------------------------------

def main() -> int:
    """Main CLI entry point."""
    parser = argparse.ArgumentParser(
        description="Audit Atlassian permission schemes for security issues"
    )
    parser.add_argument(
        "permissions_file",
        help="JSON file with permission scheme data",
    )
    parser.add_argument(
        "--format",
        choices=["text", "json"],
        default="text",
        help="Output format (default: text)",
    )

    args = parser.parse_args()

    try:
        with open(args.permissions_file, "r") as f:
            data = json.load(f)

        result = audit_permissions(data)

        if args.format == "json":
            print(json.dumps(format_json_output(result), indent=2))
        else:
            print(format_text_output(result))

        return 0

    except FileNotFoundError:
        print(f"Error: File '{args.permissions_file}' not found", file=sys.stderr)
        return 1
    except json.JSONDecodeError as e:
        print(f"Error: Invalid JSON in '{args.permissions_file}': {e}", file=sys.stderr)
        return 1
    except Exception as e:
        print(f"Error: {e}", file=sys.stderr)
        return 1


if __name__ == "__main__":
    sys.exit(main())

```