We're using Stash in an Enterprise environment where we have a number of different clients accessing for different projects. At this point Stash doesn't provide a way for Admins to limit who can browse users. Right now when you mention someone or try to add them to a pull request you see a full list of users and their email addresses. This is a huge security risk and has effectively halted the our roll out of Stash until this issue can be resolved.
The ability to limit who can browse users exists in JIRA and has been invaluable for security. We would like to see this same level of security applied to Stash.