Issue Summary

On Atlassian Administration, org admins have the ability to limit the creation of new API tokens for their managed users through authentication policy settings. However, this restriction does not extend to Bitbucket. Consequently, managed users are always permitted to create API tokens specifically for use with Bitbucket.

Suggestion

• This creates a problem in maintaining a 100% API token ban security posture because org admins are not able to block API token creation completely.
• So if a managed user creates an API token for Bitbucket and performs an action that's not intended or malicious, that cannot be prevented.

So the request is to scope API token restrictions applied through authentication policies to Bitbucket as well (regardless of subscription tier of Bitbucket)