Update Oct 30 2024: **
Hi everyone,
We have been closely monitoring this ticket and would like to take a moment to address your questions and provide the rationale for closing this ticket.
When we first launched product requests last year, we decided to package this feature as part of the enterprise plan based on our data-backed analysis, which included an analysis of market standards.
Following this decision, we kept this ticket open to continue to monitor feedback from our small-to-medium customers. The feedback you provided led us to further invest in an Atlassian Guard Standard (formerly Atlassian Access) feature called automatic product discovery.
In the last year, the team worked to release ‘add admin’ functionality, making the feature more actionable. Now, an admin can take over the discovered product and determine the appropriate next steps. We have a dedicated community post outlining this process here. Automatic product discovery is not limited to the enterprise plan and any customer of any size can purchase as subscription for Atlassian Guard Standard to gain access to this feature.
We will keep this ticket closed and appreciate your understanding, as well as your time to comment and interact here.
Griffin
Update Oct 15 2024:
Hi, we are happy to share some new updates to this ticket in regards to the following issues listed:
- Ability to create new sites for Jira and Confluence
- Ability to create new Bitbucket or Trello accounts
- Ability to join sites or products external to the organization
- Ability to remove managed users from external sites
- Ability to remove access to specific products
We have solved these issues through both proactive and reactive controls for user-created instances (also referred to as sites), and an organization admin’s ability to control them.
With our Atlassian Guard (formerly Atlassian Access) feature automatic product discovery, admins are able to see what user-created instances exist within their cloud footprint, and join these instances to take over control. By doing so, they can remove certain users, products, etc. - and determine the best next steps.
With the Enterprise plan feature product requests, admins can set a policy and then either deny or approve requests for a new user-created instance. This feature is available to customers who have a Jira, Confluence, or Jira Service Management Enterprise plan - and coverage now expands to Trello and Bitbucket (Premium plan, in beta).
For further information, please refer to our latest community post: An update on product requests: bringing shadow IT controls to Trello and Bitbucket
- is duplicated by
-
ACCESS-1135 Need to control or manage; users or user group from creating products
- Closed
-
- Closed
-
- Closed
-
- Closed
- is related to
-
- Closed
-
MOVE-109089 Loading...
-
-
-
- relates to
-
- Closed
-
- Closed
-
-
- mentioned in
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
[CLOUD-10325] Allow non-Enterprise administrators to control managed users' associated sites and products
The correct way to vote for this issue is to click "Vote for this issue" in the "People" panel (top right). Please do not write "+1" comments – they produce unnecessary notifications for people watching this issue. Atlassian do not use comment count as a measure of popularity.
Atlassian Team,
Please provide urls and ways, when regular users allowed to create new discovered products. We will try at least block those ULRs by vpn or other tools.
Why you can't disable this feature till providing smart solution for managing it by Org admins? and at least notify about some pilot and ask customers, who need this feature prior pushing it to anyone.
We need to have this feature because it’s not reasonable for users to be able to do this. Please allow administrators to control managed users’ associated sites and products, or give us the option to block this option to our users as admins.
This needs to be fixed as soon as possible.
This is not an Enterprise feature, but core functionality found in every well-built, secure system i.e., a non-administrator must not be allowed to complete an administrator level task.
As a non-Enterprise customer, you are presented with the "Product request settings" option in the console, but it is disabled. The text linked under 'Product permission' reads:
"You need a Jira Enterprise subscription to be able to review requests for this product."
The text linked under 'Product permission' should read:
"Since you didn't pay for an Enterprise license that you obviously don't need, we decided to disable a core admin and security feature of the product. In addition, we have chosen to frustrate your administrators by showing a feature they can't use, having an open issue where we will openly ignore input and justify the lack of security in the interest of perceived possible future revenue, and finally waste their time by forcing them to manually check and delete unauthorized products creation done by any user in the organization."
But I guess there is not enough room in the module window, so they went with the shorter text.
As Org admins we should be able to manage what users are allowed to do on our tenant. please add this functions asap
I just recieved a potential ray of hope 
.
It was suggested that we could create a firewall rule in our corporate network/VPN to restrict network access to the following addresses:
so users could not create Atlassian organizations themselves and could not open the pages that allow them to start their own site subscriptions.
Please note that such network rule will not block you from adding additional products/sites to your current organization, but will be a blocker should you legitimately require to create another cloud site for your company in a separate Atlassian organization.
Atlassian Support should be able to easily track the amount of time it's own team and it's customers are wasting in this matter. This is terrible of Atlassian to waste so much of it team's and customer's time.
0b89c650c7a1 I keep hearing that they have no idea how they did it...they never remember. The fact that this doesn't require site/org admin approval is mind boggling, until you learn that it's yet another 'incentive' for us to upgrade past the paywall where all of the good (needed) features are.
And when I tested on mobile when I had previously logged into Jira (so Atlassian "knew who I was"), the path to (accidentally) signing up for a new site was even easier. 
Hey 0b89c650c7a1 - after talking to my users, I believe that it's Atlassian's public-facing pages for the Jira and Confluence that unfortunately make it very easy to do this. I've taken some screenshots of the flow that I believe is leading to this problem: https://shorl.com/homegribrusypry
Can anyone tell me the steps that users are taking to create these products? I am trying to reproduce this myself, but am unable. Something has definitely changed as this was not a problem until the end of last year.
We should just not pay the extra costs when an accidental site with products is created and make it their problem and not ours.
Since recently, we have had 5 users who coincidentally signed up for their own Atlassian site and product. In one case, even for a Premium subscription, with cost attached. We are using the Atlassian products for years and till now this never happened, so apparently something has changed.
This is highly cumbersome for us: we have Atlassian Guard to find these products, but ending them is a hassle: unsubscribing, waiting for weeks and then removing the organizations.
We want Atlassian to prevent this. We know that it is a feature of the Enterprise subscription, but we feel it is unfair to try and sell an expensive subscription by dragging us into cost and and overhead this way.
I have over 2 years of emails and meetings going back and forth with Atlassian on this issue. I even worked with their Shadow IT team while they were building the solution to block these from being created...
However, to date, it's only a feature for customers on their Enterprise plans.
I have confirmation provided to me today, Friday June 21st 2024, that Atlassian has no plans to extend the feature to non - Enterprise customers.
Here is their email:
I truly appreciate your patience as we delved deeper into this matter internally. I reached out to [*Name removed because I care about privacy and data security; unlike Atlassian*], the Shadow IT product manager you previously engaged with, and he has confirmed that, unfortunately, we will not be including the shadow IT controls that enable you to block product creation, specifically "Product Requests," in any edition other than enterprise at this time. It's important to recognize that this challenge is not unique to our tool but rather a common occurrence in the software industry, reflecting the growth mindset that all SaaS providers strive to foster.
Edit
I noticed that the person's name I removed is on this ticket
Lets make this clear. This is being allowed because it creates addition revenue streams for Atlassian.
1) those instances of Jira, JSM, Confluence and now JPD eventual can cost money
2) Some companies will be forced into paying the outrageous enterprise prices to secure their data. Certainly, that will be a false hope though.
"If you have the improved billing experience, you have to wait an additional 60 days after the products are deactivated to delete the organization."
Seriously Atlassian? Is this a joke!??
Hey everyone! So here's a fun story. Four mistakenly instances that I cancelled on 4/11/24 could still not have their orgs deleted. Support says it was because they were still under the grace period which ... makes no sense if the grace period is 14 days.
Since 4/11/2024, seven more instances were created by mistake. Now this was probably accelerated because we migrated to Cloud on 5/20/2024 and users probably got confused in the login process and BECAUSE ATLASSIAN'S SALES FUNNEL IS SO GOOD, they ended up creating new instances.
So on 6/6/2024 (a week ago) I opened a ticket to request deletion of all of these instances so that I could delete the orgs.
A week later Support gets back to me, and they've scheduled deletion for the 7 new instances (6/24/2024) and the ones from April can FINALLY have their orgs deleted.
Here's the kicker: in the 7 days since I filed the ticket, TWO MORE instances were created.
AND WAIT, it gets better. One of the ones that got created: IT HAS THE SAME NAME AS ONE I JUST DELETED:
companyname-team
Because again, ATLASSIAN'S SALES FUNNEL auto-fills in a name for your new instance and to a user, companyname-team totally makes sense for the name of a Confluence or Jira site. They don't know they're creating a new one. They're just trying to login.
THANKS ATLASSIAN.
oh, here it goes again... one more random user has created an org...
We keep fighting windmills that Atlassian carefully placed,
Navigating complexities, our persistence embraced.
We keep fighting windmills that Atlassian carefully placed,
Crafting pathways to success, no effort should ever be wasted.
We keep fighting windmills that Atlassian carefully placed,
With breached security, our trust is mispaced.
So many customers asked Atlassian!! And you just don't answer or give any hint on this. It's unbelievable. Please write at least a document where you show us what we can do when it happens again.
We have a serious Security Problem without ability to decline users for creating news sites. Very weird feature, where Org Admin of Premium Plan can't remove those sites. I've tried anything: unsubscribe, archive those sites. But it stay alive and working!
Stupid situation!!!Unable to render embedded object: File ( Very very BAD) not found. Users continue to create new sites without option to stop it.
ATLASSIAN SUPPORT USELESS in this situation. They also can't figure out those cases.
At least should be option to delete those sites by Org Admin/Billing Admin by support request, ability to manage who from admins can create those sites AND ABILITY to disable this feature at all as harmful on business request.
Please take Priority for this issue!!!
It takes me to catch an email notification that this happened. Email our PMO and Jira Engineer telling them to check. They send an email to the people who created new environments. They ALWAYS responds that they did it BY ACCIDENT. Jira Engineer then has to go into Atlassian, find each environment and delete them. RESTRICT NEW ENVIRONMENTS TO ADMINS ONLY BY DOMAIN. DOI!
blatant disregard for the security.
I have to delete these sites at least once per month!
FIX IT ASAP
These features should be obvious as admin tools due to security and compliance reasons.
I urge Atlassion to prioritize and plan a release.
This is a pain. Users can apparently create new organizations or sites by accident, and they are slow to be removed, even if they are empty instances.
I get the safeguard to prevent accidental deletion of data, but it should not take this long. Nor should it be this easy to create a new site, for non-administrators.
And it's still on "Gathering Interest", maybe we should buy Enterprise versions of Jira / JSM / Confluence to manage those "new" organizations. Problem will be solved 
I have four sites now outside of my control. How the f*** do I now get rid of them? Thanks Atlassian for creating additional work for me.
The removal of these orgs, which should have not been created in the first place, is also 'so' difficult to do and takes very long.
This needs to be fixed ASAP.
A low-level user just accidentally created a new Premium product on our tenancy incurring additional costs to the business, yet we can't disable this feature. How is this even possible Atlassian!? Massive design flaw. Please fix ASAP.
The removal of these newly created organizations is also a slow and laborious process, adding yet more cost to our business
Some of our users are creating accidentially a new site. This is confusing for our users and makes the overview unclear for our admins.
- Ability to create new sites for Jira, Confluence, JSD
This option would be really valuable for the Premium version too.
Pasted from JST-989758 Sorry @Shubham, CLOUD-10325 isn’t currently sufficient in my view. IF you were about to address it AND MP-194 then I wouldn’t suggest further changes to this, but given this seems unlikely I think you need to more directly address the design flaws in the current process, (the notifications admins get when receiving requests for apps such as Jira Product Discovery and Compass) DOESN’T have a Reject Request option and needs one B. there’s no justification for differing the ability to reject unwanted addons between tiers in my view (“I don’t object to you offering some more advanced functionality to Premium and Enterprise customers but in cases like this where the things that you’re giving us inferior control over are in my opinion design bugs from Atlassian I strongly suggest you reconsider.”)
ID-7697 appears to be another version of this issue/request dated from 2021 and owned by an inactive Atlassian user.
This one was created in 2017. No work logged.
Agreeing with all the other people here. This has to be available for all license types. Not every coworker is allowed to do contracts on behalf of the company and the possibility of spoofing the corporate identity is a serious security threat. Having this as an enterprise only feature is like threatening customers to purposefully compromise their security. Simply unacceptable.
As administrators, we require this control for our Jira and Confluence Premium license tiers. It is very disappointing such a basic control requires an enterprise license at substantially more cost.
We spend too much time creating accesses and then have to contact users to correct what they've done!
I cannot believe we're still begging for this. It should be a baseline feature.
these features should be default to all tiers.
users should not be able to freely do actions that could end up as unexpected bill to the company!
@Pablo thank you for sharing! This is really useful for dealing with discovered products that users have spun up and finally gives us an easy way to do something about it rather than guiding the user that created the product!
I would still rather the preventative measures that are configurable on Enterprise plans so that we didn't need to do this action after a user has signed up to another product using their managed account.
Ideally the ability to Prevent users from signing up for products will be made available to all Atlassian Access users. Not just Enterprise.
Last week this document was published and it helped me to take control of the products created outside the organization and (most likely) delete them:
Although I haven't tried to delete yet, but I'm org admin of those products.
Company users should have the right to use their corporate accounts to make use of free plans on other Atlassian products, without being considered billable managed accounts. It makes no sense to be asked to upgrade the license of Servicedesk to a higher tier for Trello licenses that are supposed to be free.
Please fix this!
This is the #1 annoyance I have with Atlassian. Please allow premium subscriptions to disable this for users!!! Each time I get notified I contact the user, and they are confused about what they did.
This functionality is VERY NEEDED for Jira Premium. When can you get this done.
@Derrick James, yeah the documentation for this blows, just like everything else for Atlassian.
you need to create a new authentication policy for none IDP managed and non-SSO users if you have not already and then change the authentication policy of these other users to use that.
hope that helps you out. i had to do this for 2k + users.
We are being billed for 75 Atlassian Access users, when we only have 12 JSM users.
I'm told it's because some employees (that haven't been with the company for years) signed up for a Trello free trial or have access to another company's cloud products.
I came here from the other closed ticket which provided no solution. It seems it is "as designed" to not help administrators being able to stop users to increase the bills. Very sad indeed.
I can't imagine that the income gained from these instances is really all that much, and while I acknowledge I have no idea what's going on under the hood, I have to believe this isn't SO much work to implement...so what IS the rationale here?
I get not investing in things like "bulk updating" or "group renaming" to make Jira easier to manage at a day-to-day level...I mean, if Atlassian didn't give us mountains of endless, pointless, and repetitive busywork just to get basic activities accomplished, what would we do all day? However this problem is (as so many others have pointed out) a security risk thing. We spend countless hours and dollars securing and maintaining our corporate instance specifically so Bob in accounting can't accidentally leak PII.
Now I know that Atlassian thinks we're all just vendor-locked at this point and that moving to another tool would be even more painful than putting up with all the garbage they feed us. And you'd be right about that. Today. But it'll be interesting to see what happens when a viable option appears.
'Enhance data security & governance for your Atlassian Cloud products with Atlassian Access' there is even a graphic showing Trello and Bitbucket as a products that will benefit from this enhanced security and governance.... This is marketed to everyone, not just Enterprise customers.
Want to stop 2000 of your managed users from signing up to Trello and increasing your Atlassian Access bill? Tough luck you need to pay for Enterprise.
ACCESS-1468 had votes from ALL ATLASSIAN ACCESS customers who need better control over managed accounts access to products, NOT JUST ENTERPRISE customers.
I don't think Atlassian are so ignorant that they don't already know that this is the case. So personally, I find that the decision to paywall this as an Enterprise only feature, insulting. And something that goes directly against Atlassian core values of 'Don't #@!% the customer'. Also, everyone was pretty excited to see this functionality being worked on and improving so restricting to Enterprise at the last minute doesn't really align with 'Open company, no bullshit'.
If the functionality exists for Enterprise customers now there should be no major technical limitations to enabling this to the rest of the Atlassian Access customers that were marketed a better experience for managing managed users and aren't getting it.
LOVE how Atlassian hides the add vote and watch options under more. such a scummy design.
Lacking this functionality is an extreme oversight for such a large cloud provider who organizes things at an "Organization" level. If there is an organization with a managed domain...only people with that organization's admin role should be permitted to create products. Seems simple and logical. Step it up @Atlassian!
@Lacey Elliott That's because you CAN'T... The entire reason for this thread... Atlassian keeps pushing that functionality out... I was promised this almost 2 years ago. Still nothing. And their current road map they label as "Shadow IT" STILL will not directly address this issue.
No one at Atlassian understand the security risk or concerns... or cares.
Still trying to figure out how to delete the free site one of our employees created...which should have never been allowed.
+1
We just found one of our users created his own free site that we have no control over using our verified domain and started inviting external users... Why isn't this feature already in place?
Welcome to the issue, @Griffin Jones!
Any updates on when non-Enterprise users might be able to expect this functionality?
Thanks,
This is a very basic requirement for any enterprise. I control domain x.com but then you allow someone with an email with that domain to create a free account and put data into it that I don't have any control over. I need control over all aspects of the account using may domain name. You should be willing to do that because by blocking the free accounts I will be buy more paid licenses.
What the Atlassian Access rep in Teams 23 said to me last week is that an admin approval mechanism will be implemented so when someone from a claimed domain sets up a new instance, it goes to org-admin approval, and as the previous comments, it's coming in the next "few months".
Still, seeing is believing.
I'm being told my Atlassian Team that this functionality is coming this spring/summer...
As an enterprise tool this needs to be available. It's a big security risk
This is another big fail with Atlassian when are they going to stop billing organizations for their misplanning of application deployment this goes along with with the TRELLO free debacle
It's a security risk. They should be required to contact the org admins, or at least the site admins.
Remember to also vote here https://jira.atlassian.com/browse/CLOUD-11072 as it's "In Progress"
When will Atlassian stop charging organizations a fee for their mistakes? It might be time to leave Jira behind
as a global business we want to make sure that our studios don't create their own instances to work seperatly without following the main studio guidance and rules!
Five years!
I think we need a party to celebrate this birthday.
Without proper controls in place, we cannot control the sprawl of new instances. This feature is a requirement for our company to move to Atlassian Cloud. Please prioritize appropriately. Thank you.
As an enterprise customer, having this control is critical to our ongoing governance of these environments. Please make this feature a priority otherwise we will need to reconsider our use moving forward.
It's also a very big security and compliance issue... Not sure why Atlassian can't ever seem to get it together.
This is an incredibly important part of managing our corporate work streams and security. This needs to be addressed.
I 100% agree.
Once a company instance is licensed for any set of cloud products, deciding whether or not to create a new domain user MUST be done by the domain admin of the company's instance. Otherwise, "trial accounts" created willy-nilly by any user – and then most often abandoned – become a management nuisance (at the least) or an a ridiculous extra expense to the company. That's not "team work". That's anarchy.
Dear Atlassian - Please give your customers the control they need over account creation within the systems they manage! It's CRAZY that this has been an issue for more than FOUR YEARS!!!
Under verified domain, we should not allow to create new instance by users.
As an enterprise customer, we would like the ability to restrict the creation of new instances for a claimed domain. We have had over 20 instances created by random people signing up. Many times these instances are abandoned or the work belongs in an existing instance.
@992b0dfccfdd
Makes no difference.. Griffin has already made it clear this will NEVER see the light of day. They want you to purchase enterprise.. period.