Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1040

IP allow list: Allow specific policies to only apply to specific products/pages/Spaces/Projects

    • 55
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem Definition

      • An admin may want to only configure IP allow lists for specific pages, Spaces or projects within Jira/Confluence and not necessarily the entire site.
      • An admin might also want to configure IP allowlisting for only certain accounts.

      Suggested Solution

      • Allow admins to specify URL paths that the polices applies to or allow them to define only certain accounts that are affected by IP allowlisting

      Why this is important

      • More flexibility as some project/Space admins may want IP allow listing, but others may not

      Workaround

      (Optional)

            [ACCESS-1040] IP allow list: Allow specific policies to only apply to specific products/pages/Spaces/Projects

            We've recently investigated and moved to IP Whitelisting knowing the tradeoffs. We hope to see feature improvements soon. Here are the use cases:

            • Some spaces are for company information sharing. They can and should have IP whitelisting so our whole company can access content in Confluence without requiring we manage subscriptions (people come and go, most only require access to view content). And to be honest, it's also a cost management approach. For security, all non-employees should not be able to access this content, regardless if they have a license or not. Basically, if not on our network, you should never be able to access these spaces.
            • Some spaces are for development and require working with partners. These cannot be restricted by IP whitelisting because we need external users to access and view or contribute content. These external organizations should NEVER have access to any space other than ones we determine. We could manage permitting access to the specific space we want them to have because these would be licensed users. We would provide a license to these users (may even be guest accounts if it's solely to view content). Very few users in this case, and critical we manage for security reasons.
            • Some spaces are a mix of both. We need all employees to access content (anonymous with IP whitelisting), but we also need some external users to access as long as they have a license and are in the right permission group.
            • Some spaces are truly open to anyone, internal or external. 

            Currently, we cannot deliver this capability to our business. With IP Whitelisting enabled, we have shutout our partners from content they previously could access. We considered creating multiple organizations, but then we increase user management complexity and permissions management. We also then have to manage relating Jira items to multiple pages across Confluence organizations which also increases complexity. And when a project completes, we then need to move content to the right organization(s) to provide the right access. And this only solves for bullets 1 and 2 and possibly 4, not 3.

            What we would really like is an ability to have IP Whitelisting apply only to anonymous-enabled spaces or permit IP Whitelisting to be related to selected spaces. Let other spaces continue to work as before IP Whitelisting was enabled for the organization. This finer level of enabling and enforcing IP Whitelisting would make administering a Confluence organization so much easier AND be more powerful. Today, if we get IP Whitelisting for the Confluence organization wrong, we could expose a lot of information unintentionally. Consider the mistake of IP Whitelisting a partner company. All anonymous spaces within the Confluence organization are now open to all employees at the partner. Better to do it at the space level, so all other spaces are insulated from this type of accident.

            Alex Orsini added a comment - We've recently investigated and moved to IP Whitelisting knowing the tradeoffs. We hope to see feature improvements soon. Here are the use cases: Some spaces are for company information sharing. They can and should have IP whitelisting so our whole company can access content in Confluence without requiring we manage subscriptions (people come and go, most only require access to view content). And to be honest, it's also a cost management approach. For security, all non-employees should not be able to access this content, regardless if they have a license or not. Basically, if not on our network, you should never be able to access these spaces. Some spaces are for development and require working with partners. These cannot be restricted by IP whitelisting because we need external users to access and view or contribute content. These external organizations should NEVER have access to any space other than ones we determine. We could manage permitting access to the specific space we want them to have because these would be licensed users. We would provide a license to these users (may even be guest accounts if it's solely to view content). Very few users in this case, and critical we manage for security reasons. Some spaces are a mix of both. We need all employees to access content (anonymous with IP whitelisting), but we also need some external users to access as long as they have a license and are in the right permission group. Some spaces are truly open to anyone, internal or external.  Currently, we cannot deliver this capability to our business. With IP Whitelisting enabled, we have shutout our partners from content they previously could access. We considered creating multiple organizations, but then we increase user management complexity and permissions management. We also then have to manage relating Jira items to multiple pages across Confluence organizations which also increases complexity. And when a project completes, we then need to move content to the right organization(s) to provide the right access. And this only solves for bullets 1 and 2 and possibly 4, not 3. What we would really like is an ability to have IP Whitelisting apply only to anonymous-enabled spaces or permit IP Whitelisting to be related to selected spaces. Let other spaces continue to work as before IP Whitelisting was enabled for the organization. This finer level of enabling and enforcing IP Whitelisting would make administering a Confluence organization so much easier AND be more powerful. Today, if we get IP Whitelisting for the Confluence organization wrong, we could expose a lot of information unintentionally. Consider the mistake of IP Whitelisting a partner company. All anonymous spaces within the Confluence organization are now open to all employees at the partner. Better to do it at the space level, so all other spaces are insulated from this type of accident.

            @Kirsti Griffith: How are you currently managing your use case? Do you apply IP Allow Listing to the whole cloud site?

            Maximilian Floß added a comment - @Kirsti Griffith: How are you currently managing your use case? Do you apply IP Allow Listing to the whole cloud site?

            Our use case: We only want to apply IP Allow Listing to spaces that have anonymous access enabled. we do not want to limit access of our internal users to products. 

            Kirsti Griffith added a comment - Our use case: We only want to apply IP Allow Listing to spaces that have anonymous access enabled. we do not want to limit access of our internal users to products. 

              gvenkatesh@atlassian.com Gautam Venkatesh
              dnguyen4 Derrick Nguyen
              Votes:
              52 Vote for this issue
              Watchers:
              63 Start watching this issue

                Created:
                Updated: