Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1540

Provide Organization Admins with granular control over managed Bitbucket accounts

XMLWordPrintable

    • 65

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Issue Summary

      For users with managed accounts, when company is worries about  their IP to be cloned and posted as public. The Admin of the Organization would like to have a granular control over: 

      1. who can create a repository in their own space outside of company shared one
      2. what type of repository (public/private) the user can create
      3. Prevent the user from posting anything publicly on Bitbucket
      4. Allow Admins to see which user has App Password uploaded to their Bitbucket account
      5. Which user has SSH keys uploaded to their Bitbucket Account.
      6. Visibility into when the managed user last accessed Bitbucket Cloud workspace
      7. Visibility into when the managed user last made changes to their Bitbucket Cloud workspace
      8. Prevent managed accounts to create workspaces
      9. Ability for admins to control who can use PAT/WAT/RATs for accessing workspace content
      10. Ability for admins to restrict the use of app passwords from accessing private content of the workspace
      11. Ability for admins to restrict the use of SSH keys from accessing the private content of the workspace

      Update:

      1. Org Admins should be able to check which workspaces their managed users have access to.

      Steps to Reproduce

      NA

      Expected Results

      To prevent any user with a managed account to create a public repo against their owned workspace

      Actual Results

      As of right now, we do not have a way to prevent users with managed accounts from creating individual workspace and publish any data on there, public or private

      Workaround

      none

            [ACCESS-1540] Provide Organization Admins with granular control over managed Bitbucket accounts

            Steve Thomas added a comment - - edited

            What is the current status of this?

            Steve Thomas added a comment - - edited What is the current status of this?

            Jan added a comment -

            Any update on this, I am not impressed that Atlassian can allow these repositories to be created and then permit these repos to be public repos, this is a huge security concern.

            I should have the option to disable Bitbucket for an org environment if we do not have control at the admin level.

            Please fix or allow the ability to disable Bitbucket.

            Jan added a comment - Any update on this, I am not impressed that Atlassian can allow these repositories to be created and then permit these repos to be public repos, this is a huge security concern. I should have the option to disable Bitbucket for an org environment if we do not have control at the admin level. Please fix or allow the ability to disable Bitbucket.

            Patrick Wolf - Atlassian (Inactive) added a comment -

            I'm moving this ticket to Access. All org-level administration for managed accounts is handled by Access.

            Patrick Wolf - Atlassian (Inactive) added a comment - I'm moving this ticket to Access. All org-level administration for managed accounts is handled by Access.

            Max added a comment - - edited

            Point
            5. Which user has SSH keys uploaded to their Bitbucket Account.

            should be public. Public SSH keys should not be treated as secrets. GitHub, GitLab, Launchpad, etc allows anyone to retrieve public key of any user without any authentication:
            GitHub - `curl https://github.com/<username>.keys`
            GitLab - `curl https://gitlab.com/<username>.keys`

            Max added a comment - - edited Point 5. Which user has SSH keys uploaded to their Bitbucket Account. should be public. Public SSH keys should not be treated as secrets. GitHub, GitLab, Launchpad, etc allows anyone to retrieve public key of any user without any authentication: GitHub - `curl https://github.com/<username>.keys ` GitLab - `curl https://gitlab.com/<username>.keys `

            Josh Costella added a comment -

            Any update on this @Gayatri?

            Josh Costella added a comment - Any update on this @Gayatri?

            Gayatri Ramesh added a comment -

            I am one of the BBC PMs. Our engineering team is actively working on improving the project settings and project permissions model with Bitbucket. We expect the improvements to be complete this year, which should address many of the issues you describe above. 

            Gayatri Ramesh added a comment - I am one of the BBC PMs. Our engineering team is actively working on improving the project settings and project permissions model with Bitbucket. We expect the improvements to be complete this year, which should address many of the issues you describe above. 

              Unassigned Unassigned
              ybazulina Yana
              Votes:
              50 Vote for this issue
              Watchers:
              46 Start watching this issue

                Created:
                Updated: