Hey everyone.

I 100% agree that it's a poor decision for Atlassian to only offer this feature for Enterprise customers, and that the feature is incomplete, and that it really should be considered a security vulnerability as opposed to a feature request.

However, in my experience, 100% of the 67 sites created since we migrated to Cloud were created by accident because users were simply trying to log into our "new" Jira or Confluence sites and they had forgotten the URL.

That's why in June 2024 I asked, Why is Atlassian promoting Shadow IT? Or Accidental IT?

So I was happy when 7a79c351a973 was finally able to get Atlassian in January 2025 to create CLOUD-12193 - Reduce occurrences of accidental site creations and even happier (and frankly surprised) that Atlassian implemented a fix last week.

I feel like perhaps 48d91e7b076f didn't realize that they should have provided that additional context when closing this ticket.

At any rate, I realize that there's outstanding and valid concerns about security, feature completeness, and the unfairness of this being an Enterprise-only feature, but for me, the root cause of all of my accidental site creations was broken login/create new site flow. And Atlassian has (finally) fixed that. 

48d91e7b076f gjones@atlassian.com 

How can this be closed? This is a privilege escalation vulnerability even if Atla$$ian coded it intentionally.

I find it insulting that the comment posted as this issue is 'closed' (it should have the status 'Won't Do'), includes a link to controlling your shadow IT, when this unresolved issue causes shadow IT by letting non-admins take actions on behalf of the company that can result in added products, increased and unbudgeted costs without any oversight.

I am curious to know if anyone tracking this thread knows how we can open a CVE on this vulnerability. The good news we don't need to worry about Responsible Disclosure timelines as Atla$$ian has openly admitted the problem exists, they just refuse to fix it.

48d91e7b076f 

So you are effectively acknowledging the fact that Atlassian has essentially handicapped it's lower subscription tiers with security vulnerabilities and administrative controls that are only accessible from the Enterprise tier. 

This is more than just a paywall to a premium "feature". This is tying the hands of Atlassian administrators at your Premium and standard tiers by restricting access to something that would normally fall into basic admin controls behind your paywall.

That's a crap excuse to close this ticket.

48d91e7b076f: From your comment, you appear unaware that this is still a problem for Enterprise users. Atlassian's own documentation explains ways users can create products when an Enterprise administrator has (theoretically) denied this.

In any case, fixing it for Enterprise only is clearly insufficient, as this is a security vulnerability. Administrative actions like signing up for products should not be available to managed users without permission from an org admin. Worse, for organisations using Atlassian Guard, this allows any user on a company domain to incur costs for the organisation without authority to do so – this is unacceptable.

48d91e7b076f gjones@atlassian.com 

I enjoy using Atlassian products, and highly suggest them to anyone that asks, but I find the closure of this ticket to be very troublesome.  I understand that there may be a need out there for users to quickly spin up Atlassian software, across organizations.  However, in my organization, we have strict controls on data, software and vendor management.  Simply "discovering" products that people in my organization have created by accident is not a good practice.  As an Atlassian Organization Admin, I should be able to define exactly who in my domain has the ability to create new products or organizations. 

Over the past few months, we have seen an uptick in the number of instances where users are erroneously creating new products.  When this happens, I have to reach out to Atlassian support, delete the new product, then wait 60 days and delete the new organization.  This takes time, and if I'm reading this article correctly, it also opens the door to potential security risks.  [What is the impact of shadow IT on my organization? | Atlassian Support|https://support.atlassian.com/organization-administration/docs/what-is-the-impact-of-shadow-it-on-my-organization/]

This is a widespread issue and a solution should be developed for Cloud users.  Thank you.

48d91e7b076f, your post does not add any new information.

On the contrary, it looks like Atla$$ian keeps ignoring the elementary security of their "PREMIUM" and "GUARD" products.

These are only some of the tickets that I'm aware of (and many have been closed by Atla$$ian during the past years!):

• https://jira.atlassian.com/browse/CLOUD-10325
• https://jira.atlassian.com/browse/CLOUD-11690
• https://jira.atlassian.com/browse/CLOUD-12089
• https://jira.atlassian.com/browse/CLOUD-12193
• https://jira.atlassian.com/browse/ACCESS-1135
• https://jira.atlassian.com/browse/ACCESS-1272
• https://jira.atlassian.com/browse/ACCESS-1468
• https://jira.atlassian.com/browse/ACCESS-1645
• https://jira.atlassian.com/browse/ACCESS-1651
• https://jira.atlassian.com/browse/ACCESS-1679
• https://jira.atlassian.com/browse/ID-7697
• https://community.atlassian.com/t5/Articles/What-s-the-word-I-m-looking-for/ba-p/2862486
• https://community.atlassian.com/t5/Confluence-questions/SECURITY-ISSUE-during-login-procedure-of-managed-users/qaq-p/2841895
• https://community.atlassian.com/t5/Atlassian-Account-questions/How-to-Prevent-Atlassian-Products-being-added-by-users-w-company/qaq-p/2401874
• https://community.atlassian.com/t5/Questions/Why-is-Atlassian-promoting-Shadow-IT-Or-Accidental-IT/qaq-p/2731538
• https://community.atlassian.com/t5/Enterprise-articles/An-update-on-product-requests-bringing-shadow-IT-controls-to/ba-p/2840760
• https://community.atlassian.com/t5/Articles/Proposal-to-prevent-Accidental-Site-Creations-accidentalit/ba-p/2867193#M558

Why exactly is it that your customers need to FIGHT against their "trusted supplier"?
Why is Atla$$ian not interested/willing to provide "good value for money" products?

Why is this ticket closed? This has not been addressed for any tier other than Enterprise. 

Enterprise only? Come on Atlassian that's BS.

We truly value your suggestion and the thought you've put into it. The Cloud Enterprise (CE) plan solves the challenges of customers operating our products at a large scale by addressing their complexity, governance, advanced security, and compliance needs. The Atlassian Access product solves for more foundational security requirements and provides identity and access management support. We have implemented solutions for shadow IT risks based on customer differentiation in both CE and Atlassian Access.

For more information, see https://support.atlassian.com/organization-administration/docs/control-your-shadow-it-footprint/

Thanks for your understanding and for being such an important part of our community!

The feature to prevent users from arbitrarily creating products should be available in all plans.
It is difficult for administrators to manually track newly created products, and this process takes a significant amount of time.

Moreover, canceling these unauthorized products is also a cumbersome and frustrating task.

In addition, allowing products to be created without administrative approval can lead to billing and security issues, so it is unreasonable for this feature to be available only in the Enterprise plan.

Atlassian must recognize that if this feature is not implemented, many Cloud users may turn away from Atlassian.
Cheers