Control access to your private content

The options on the Access control page are Premium features for Bitbucket Cloud, but they're available for free to all users for a limited time:

  • Require users to enable two-step verification (the two-step verification setting remains a Standard feature available to all users)
  • Restrict access to users on certain IP addresses

In the near future you'll be able to upgrade to a premium plan and continue to use these features. If you don't upgrade at that time, we'll disable these settings, allowing other users to access your private content without two-step verification and from any IP address.

Learn more about Bitbucket Premium.

When administering repositories or other content, you give users permission to see, update, and administer that content. The Access controls page gives you another level of control, making sure users meet requirements to access those pages.

You can control access for private content related to your individual account or your team:

This page

  • For your individual account
    These settings apply to users with access to any private content in your personal repositories. To find the Access controls page, click Bitbucket settings from your avatar in the top-right.
  • For your team
    These settings apply to users with admin access to your team and access to any of your team's private content. To find the Access controls page, select your team from the Teams drop-down and click Manage team.

Here's a breakdown of the content that your users with access won't be able to see if you use any of the Access controls settings.

Bitbucket content Public or private? Two-step verification or whitelisted IPs required?
Repositories Public No
Private Yes

Wikis / Issue trackers*

Public (in a public or private repository)

No

Private (in a public or private repository) Yes
Team snippets Public

No

Private Yes
Team admin pages Yes

* Wikis and issue trackers can be public/private independently of their parent repository's privacy setting.

Setting more than one access control

When you require two-step verification, your users can't use basic authorization with HTTPS. When you whitelist IP addresses, your users can't access repositories over SSH.

As a result, if you select both options, you and your users must use app passwords to access private repositories, wikis, and snippets.

Requiring two-step verification

You can require that the users with access to private content are only able to see the content if they've enabled two-step verification. If they haven't enabled two-step verification, users with access will see a message that prompts them to enable it. In addition to being unable to see this content, users won't be able to clone, push, or pull a private repository either.

If you require two-step verification, your users will need to set up SSH. Refer to setting more than one access control for more information.

To require two-step verification for access to private content:

  1. From the Access controls page, select the Require two-step verification option.
  2. Click Update to save your changes.

If you want to disable two-step verification on your account, you must deselect the Require two-step verification option first.

Whitelisting IP addresses

You can require that users with access to private content are only able to see the content from certain IP addresses. If they aren't accessing from a whitelisted IP addresses, users will see a message explaining why they have no access. In addition to being unable to see this content, users won't be able to clone, push, or pull a private repository either.

If you whitelist IP addresses, your users will no longer be able to use SSH to access your private repositories, wikis, and snippets. They'll need to use HTTPS instead. Refer to setting more than one access control for more information.

You can whitelist IP addresses or network blocks for a set of IP addresses. If whitelisting an individual IP address, we support IPv4 and IPv6. If you're entering a network block, we support CIDR notation, which is a standard for specifying a block of IP addresses. Refer to this CIDR notation section on Wikipedia for more details about how to use CIDR notation.

Here's some examples of values that you can add:

Type Examples
IPv4 104.192.143.0
IPv6

1041:9214:3AB0::1041:9CD2

CIDR block 104.192.143.0/28
104.192.143.16/29
104.192.143.24/32

To whitelist IP addresses for access to private content:

  1. From the Access controls page, select the Restrict access to certain IP addresses option.
  2. Click Add or remove IP addresses. A popup opens.
  3. Enter an IP address or a network block for a set of IP addresses.
  4.  Click Save to close the Add or remove IP addresses popup.
  5.  Click Update to save your changes.

 

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport