Uploaded image for project: 'Atlassian Guard'
  1. Atlassian Guard
  2. ACCESS-1740

Ability to allow Org Admin to schedule user session timeout via certain timeout policy

    • 9
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Currently, there is a "reset session" via authentication policy to rest users sessions; however customer would like to have a timeout policy so that it will force users session termination in an automated way.

            [ACCESS-1740] Ability to allow Org Admin to schedule user session timeout via certain timeout policy

            Brian Hill added a comment - - edited

            Note the following adjacencies, would be good to see some backlog grooming to harmonise these a bit more:

            1. https://jira.atlassian.com/browse/ACCESS-1740 - Ability to allow Org Admin to schedule user session timeout via certain timeout policy
            2. https://jira.atlassian.com/browse/ACCESS-1644 - API for Reset Session in Authentication Policies
            3. https://jira.atlassian.com/browse/ACCESS-1044 - Manage authentication policies via Admin API
            4. https://jira.atlassian.com/browse/ACCESS-1451 - Improvements to Idle Session Authentication Policy Options

            Session management is an important security element, current approaches might tick an ISM compliance box using the reset-session feature described in https://support.atlassian.com/security-and-access-policies/docs/update-idle-session-duration/#Reset-sessions-for-an-authentication-policy but there is clearly appetite for some more fine-grained approaches to session management/termination. Please consider customer obligations to meet Session Termination compliance obligations and help ensure we can meet those. Example below from https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-system-hardening

            Session termination

            Implementing measures to terminate user sessions and restart workstations on a daily basis, outside of business hours and after an appropriate period of inactivity, can assist in both system maintenance activities as well as removing malicious actors that may have compromised a system but failed to gain persistence.
            Control: ISM-0853; Revision: 3; Updated: Sep-22; Applicability: All; Essential Eight: N/A
            On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted.

            Feel free to test new functions against the resources at https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality

            Relevant FEDRAMP links

            https://wayfinder.digital/FedRAMP/SC023-FedRAMP.html

            https://wayfinder.digital/FedRAMP/AC012-FedRAMP.html

            Brian Hill added a comment - - edited Note the following adjacencies, would be good to see some backlog grooming to harmonise these a bit more: https://jira.atlassian.com/browse/ACCESS-1740 - Ability to allow Org Admin to schedule user session timeout via certain timeout policy https://jira.atlassian.com/browse/ACCESS-1644 - API for Reset Session in Authentication Policies https://jira.atlassian.com/browse/ACCESS-1044 - Manage authentication policies via Admin API https://jira.atlassian.com/browse/ACCESS-1451 - Improvements to Idle Session Authentication Policy Options Session management is an important security element, current approaches might tick an ISM compliance box using the reset-session feature described in https://support.atlassian.com/security-and-access-policies/docs/update-idle-session-duration/#Reset-sessions-for-an-authentication-policy but there is clearly appetite for some more fine-grained approaches to session management/termination. Please consider customer obligations to meet Session Termination compliance obligations and help ensure we can meet those. Example below from https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-system-hardening Session termination Implementing measures to terminate user sessions and restart workstations on a daily basis, outside of business hours and after an appropriate period of inactivity, can assist in both system maintenance activities as well as removing malicious actors that may have compromised a system but failed to gain persistence. Control: ISM-0853; Revision: 3; Updated: Sep-22; Applicability: All; Essential Eight: N/A On a daily basis, outside of business hours and after an appropriate period of inactivity, user sessions are terminated and workstations are restarted. Feel free to test new functions against the resources at https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/06-Testing_for_Logout_Functionality Relevant FEDRAMP links https://wayfinder.digital/FedRAMP/SC023-FedRAMP.html https://wayfinder.digital/FedRAMP/AC012-FedRAMP.html

              e902c0832f88 Sudesh Peram
              2835d42897d7 Emily Q.
              Votes:
              6 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: