Explore Atlassian admin roles
20 min
By the end of this lesson, you'll be able to:
- Differentiate the org admin, site admin, user access admin, app admin, and user roles
- Describe how to grant and revoke different roles
Explore the org admin role
The org admin has a crucial role in managing various aspects of the organization. They can manage the organization and all its sites. Users can hold the org admin role for multiple organizations.
Org admins can:
- Grant the org admin, site admin, and user admin roles, then delegate some of their tasks to other admins.
- Manage users and groups within the organization.
- Grant user roles and permissions to all sites within their organization.
- Manage app subscriptions and billing details across all sites in an organization.
- Verify or remove domains within the user access settings for your organization. They can choose to approve certain domains for access upon request or wait for their approval.
- Implement and maintain security measures to protect sensitive data, such as configuring authentication policies.
- Monitor activity by accessing analytics on users and security practices or by viewing the audit log to track activities across the organization and its various sites.
Org admins and user access admins can easily identify an org admin by the gray label next to their name on the Users page under Directory in the admin hub, and in the list of users in the org-admins group.
Grant and revoke the org admin role
The user that creates a new organization automatically becomes the org admin. Org admins can then grant the org admin role to other users.
When you grant a user the org admin role, they automatically have access to all apps within the organization. Org admins have the user and app admin roles for all Atlassian apps.
👇 Click the tabs below to explore the different methods used to grant and revoke the org admin role.
An org admin can assign the org admin role to another user from their user page, in the user directory. Users with the org admin role are automatically added to the special group org-admins.
Org admins can unassign the org admin role from the user page.
You can’t delete the org-admins group. You also can’t use it as a default groups for apps.
Explore the site admin role
Site admins have the ability to perform tasks specific to the site they are administering. Org admins can choose to assign a site admin to delegate some of the administrative tasks.
👇 Click the boxes below to learn about the tasks site admins can perform.
Grant and revoke the site admin role
The org admin is the only role that can grant the site admin role to users or revoke it from them.
To grant the site admin role to a user:
- From the sidebar, expand Directory then select Users.
- Select a user from the list.
- Select More actions (represented by •••), then select Modify site admin role.
- From Role dropdown, check the Site Admin role.
- Click Grant.
👉 For example: Kevin is an org admin for the ACME organization and, he has decided to delegate the administration of the acme-uk site to Jennifer.
👇 Here’s how Jennifer's user page will look in the admin hub after being granted the site admin role for acme.
There isn't a group associated with the site admin role. When you assign the site admin role to a user, they are not automatically added to any groups.
Org admins can revoke the site admin role from users in two ways, both using the Users page under the Directory section of the admin hub. You can revoke the site admin role by selecting the More actions (represented by ···) then Modify site admin role or by selecting the Site admin tab then clicking Revoke next to the site name.
Explore the user access admin role
A user access admin mainly manages user and group access to the Atlassian app they administer. This makes it easy for org admins to delegate app access management for users from the admin hub on a per-app basis.
User access admins can:
- View all users and groups in the organization.
- Invite users to the apps they administer.
- Grant access to existing users to the Atlassian apps they administer.
- Add or remove users from groups that grant access to apps they administer.
- Suspend access to users that only have access to apps they administer.
- Remove users that only have access to apps they administer.
The user access admins can't manage groups that give access to apps they don't administer.
👉 For example: ACME is an organization containing Acme UK and Acme US sites. In order to delegate some of the administrative tasks around the organization, the org admin grants Hasan the user access admin role for Confluence on Acme UK site, and Claudia the user access admin role for Jira on Acme US site. Hasan and Claudia can now grant and revoke access to users and groups for their respective apps, but not each other's respective apps.
The user access admin role is only available if you have centralized user management.
User access admins won’t count as billable users for the app they administer, unless you grant them an additional role that gives access to that app.
👉 For example: ACME is an organization containing Acme UK and Acme US sites. Hasan is granted the user access admin role for Confluence on the Acme UK site. Hasan can now do all the tasks of the user access admin but unless they are granted any further roles they do not have app access to Confluence and don’t count as a billable user.
Grant and revoke the user access admin role
When an organization is created and Atlassian apps are added, there are default user access admin groups that get created for each app. When a user is a member of a default user access admin group, they automatically become user admins for the associated app.
👉 For example: ACME is an organization having one site called Acme UK. Acme UK site has Jira and Confluence apps. As a result, Atlassian automatically created two user access admin groups:
- confluence-user-access-admins-acme-uk: Members of this group are user admins for Confluence on Acme UK.
- Jira-user-access-admins-acme-uk: Members of this group are user admins for Jira on Acme UK.
Atlassian creates the user access admin groups by default. Org admins can change or delete the default user access admin groups with a custom group.
👇 Click the boxes below to explore how to grant and revoke the user access admin role.
Explore app admin roles
App admins have access to app-level settings in the apps they were granted the app admin role for. They also have access to the content of the app they administer, with the exception of Jira admins. They don't have access to the admin hub.
The tasks that app admins can do depends on their app.
👇Click the tabs below to explore two examples
A Jira app admin can:
- Create company-managed spaces.
- Create workflows.
- Manage mail settings.
- Advanced settings such as creating webhooks.
- Grant Jira space admin permissions.
A Jira app admin can't:
- Access the admin hub.
- Manage users and groups.
- Grant access to Jira.
Since Confluence app admins can also collaborate on pages, they count towards your app bill. However, Jira app admins don’t have the ability to update work items, and therefore, are not billable.
Grant and revoke the app admin role
Granting the app admin role automatically adds the user to the default group for that role. Adding apps to an organization automatically creates groups per app for each site containing users, admins, user admins and other types of users specific to each app. Each of these groups will have default permissions and access rights. You should verify memberships provide the expected access first before granting them to any group, or as an org admin you can change them.
👉 For example: For Jira, the default app admin group is called jira-admins-<site-name>, and for Confluence, the default app admin group is called confluence-admins-<site-admin>.
👇Click the tabs below to explore two examples of how to grant and revoke app admin roles.
There are several methods to grant and revoke the app admin role for Jira.
To grant the Jira admin role:
- On the user page in the user directory, click Grant access then select the App admin role for the Jira Administration app, and click Grant access to confirm.
- On the user page, add the user to a group with access to Jira administration app. By default, it should be jira-admins-<site name> group.
- On the groups page, add the user to a group with Jira app admin access from the group page. By default, it should be jira-admins-<site name> group.
To revoke the Jira admin role:
- On the user page in the user directory, next to the Jira Administration app, unselect the App admin role from the Roles dropdown in the App access tab.
- On the user page, remove the user from groups with Jira app admin access. By default, it should be jira-admins-<site name> group.
- On the group page for the groups with access to Jira administration app, remove the user membership. By default, the group should be jira-admins-<site name>.
Explore user roles
There are different user roles across Atlassian apps. The main role is the user role in Atlassian Cloud, which refers to the level of access granted to individuals within an organization who need to log in to the apps and use their features. The user role translates differently for each app in terms of what the user can do. Users with this role count towards the app license.
👉 For example: Individuals with the user role in Jira can create, edit, comment on, and delete work items. They can also use boards to update work items, create dashboards, and add gadgets given they have the relevant permissions.
Individuals granted the user role are the same as those added to the default group for that role. By default, the group is called <app>-users-<sitename>.
👇Click the boxes below to learn about other user roles.
An org admin can put certain measures in place to enforce security for external users. Users with guest, stakeholder, or customer roles are referred to as external users as they often are not part of the company or are from a different department. Org admins should make sure they have control over what data these users can access, for that reason.
- Two-step verification: Force external users to verify their identity when they try to access the organization’s app data.
- Single sign-on: Authenticate external users through your company's identity provider when they log in to Atlassian Cloud apps.
- Periodic re-verification: Set how often external users need to verify their identity.
- Reviewing external users before changing security settings: Export external users in a CSV to review their details.
- API token access: Control API token access to apps in the organization.
External user security features require an Atlassian Guard subscription.
Grant and revoke user roles
There are three ways to grant most user roles:
- Assign the relevant role to the app from the user page in the user directory.
- Add the user as a member of a group:
- For users, the default is <app>-users-<sitename>
- For guests, the default is confluence-guests-<sitename>
- For customers, the default is jira-servicemanagement-customers-<sitename>
- For stakeholders, the default is jira-servicemanagement-stakeholders-<sitename>
- Invite the user to the app from the admin hub and select the relevant role in the Invite page.
For the customer role in Jira Service Management, users can also sign up from the help center or send an email request, if enabled.
You can remove all the user roles in the same two ways:
- Revoke the role from the user page: Unselect the role from the App access section in the user page in the user directory.
- Revoke the role from the group page: Remove the user from all the groups providing access to the role.