• Products
  • Documentation
  • Resources
Products
Documentation
Resources
Atlassian Support
/
User management Resources
/
Manage role and product permissions

Control how users get access to products

You must be an organization admin to change or update these user access settings.

This page covers the settings that control how users get access to products in your organization.

Users with product access also have organization access. Each user that joins your organization takes up a license seat for each of the products they have access to. If you go over the number of users in your plan, we'll let you know by email.

Product, User access settings, Approved domains

Approved domains

Approve your company’s domains to help your users access your products quickly.

You might use this to:

  1. Approve your company domain so onboarding is easier for your employees.

  2. Approve client domains so they can always get access.

To add an approved domain:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Products > User access settings > Approved domains.

  3. Select Add domain and enter the URL for the domain you want to approve.

  4. For each product, select a product role and indicate if admin approval is required.

    1. Product role column:

      1. None: Assigns no product role, which means users with the approved domain won’t be able to access that product.

      2. User: Assigns the user role, which allows users to access the product when they are logged in to an account with the approved domain.

      3. Customer: Assigns the customer role to users who access your Jira Service Management help center. They need to be logged in to an account with the approved domain. Learn more about Jira Service Management customer accounts

    2. Admin approval column:

      1. Check Required: Organization admins need to approve access requests from users with the approved domain. Learn more about access requests

      2. Uncheck Required: Users with the approved domain can join your product without approval.

  5. Select how to Notify org admins:

    1. When users get access: Organization admins get an email every time a new user joins.

    2. Only when users need admin approval: Organization admins only get an email when someone requests access to a product.Users on approved domains:

Users with approved domains:

  • Must create an Atlassian account before logging in to your products.

  • Can view your products from specific Join Product locations, such as start.atlassian.com

  • Can join your selected products with or without an invitation.

  • Must verify their account every 6 months.

Customers on approved domains (Jira Service Management only):

  • Must create an Atlassian account before accessing your help center.

  • Can join your selected help center with or without an invitation.

  • Must verify their account every 6 months.

Configure how users with non-public domains access your products

The Any domains feature allows you to decide how users with non-public email domains access your products. A non-public (or private) email domain is hosted by a private server and is more secure than a public email domain. Examples of public email domains are outlook.com, icloud.com, or gmail.com.

Email domains from private companies are considered to be private domains. Examples of private domains are sony.com, atlassian.com, or samsung.com.

You might use this feature to:

  • Make it easier for users with a private email domain to request access to your product.

  • Automatically allow users with a private email domain to join your product. This is also known as an ‘open site’ or ‘open product’.

By default, we configure any domains to allow any user with a private domain to request access to your product (and any new products you add). An organization admin needs to approve these requests first. You can make changes to these default settings at any time.

To manage how users with private email domains access your products:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Products > User access settings > Approved domains.

  3. Select Any domain.

  4. For each product, select a product role and indicate if admin approval is required.

    1. Product role column:

      1. None: This means people won’t be able to access your product.

      2. User: Allows users to access your selected product when they are logged in to an account with a private domain.

      3. Customer: Assigns the customer role to users who access your Jira Service Management help center. They need to be logged in to an account with a private domain. Learn more about Jira Service Management customer accounts

    2. Admin approval column:

      1. Check Required: Organization admins need to approve every request for access from users with private domains before they can join. Learn more about access requests

      2. Uncheck Required: Users with private domains can freely join your product without any approval from an organization admin. Unchecking this option creates an ‘open site/product’ and users won’t be able to use Atlassian teams.

  5. Select how to Notify org admins:

    1. When users get access: Organization admins get an email every time a new user joins.

    2. Only when users need admin approval: Organization admins only get an email when someone requests access to a product.

Users with private domains:

  • Must create an Atlassian account before logging in to your products.

  • Can view your products from specific Join Product locations, such as start.atlassian.com.

  • Can join your selected products with or without an invitation.

  • Must verify their account every 6 months.

Customers with private domains (Jira Service Management only):

  • Must create an Atlassian account before accessing your help center.

  • Can join your selected help center with or without an invitation.

  • Must verify their account every 6 months.

User invites

Control how existing users in your organization invite new people to your products. Learn how product access works

To enable user invites:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Products > User access settings.

  3. Select User invites.

  4. Select an option from the Existing user permissions column next to your selected product.

To restrict user invites:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Products > User access settings.

  3. Select User invites.

  4. Select the option Don’t allow invites from the Existing user permissions column next to your selected product.

This prevents people who are users or product admins from inviting people through the product. It won’t prevent organization admins and user access admins from doing this. The Invite people feature will still be visible in the product.

Customize the message people see if they can’t invite

You can customize the ‘not allowed’ message that users see when they try to invite other users, but don’t have the right permissions.

To customize the ‘not allowed’ message:

  1. From the Customise user invites not allowed message section, enter the message you want your users to see when they try to invite.

  2. Select Save message to confirm.

Screenshot of customize user not allowed message

Users see this message if they try to invite people through your product.

You should also check your Approved domains settings to restrict product access.

To restrict product access from approved domains:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Products > User access settings.

  3. Select Approved domains.

  4. Select a domain to edit.

  5. Select the None product role next to the product you want to restrict access to.

  6. Select Save to confirm.

  7. Repeat steps 4-6 for each of your approved domains.

Existing user permissions

Here’s an explanation of each user permission setting and when you may want to use it:

Existing user permission

How it works

Invite anyone

This is the most open invite permission. It allows your existing users to freely invite anyone to your product with any email domain. An organization admin doesn’t need to approve this.

Anyone can request access to your product. An organization admin needs to approve the request.

When to use it

This option is best when you trust your existing users to invite and collaborate only with the people they need to.

Invite approved domains

Existing users can invite anyone with an email domain you have approved (see Approved domains above). An organization admin doesn’t need to approve this.

Anyone can still request access to your product, regardless of their domain. An organization admin needs to approve the request.

When to use it

This option is best when you trust existing users to add and collaborate with people from specific domains you’ve approved, as needed.

Require admin approval

Existing users can’t invite anyone to your product, regardless of your approved domain settings.

Anyone can still request access to your product for themselves or on behalf of someone else. An organization admin needs to approve the request.

When to use it

This option is best if you want to maintain control over who has access to products, but your company doesn’t have an official process in place for people to ask for access.

Don’t allow invites

This is the most restricted permission setting for invites available. Users can’t invite anyone or request access to your product. Organization admins and user access admins can still invite users.

To further restrict product access, remove your approved domains.

When to use it

This option is best if you want to maintain strict control over who has access to products, and your company has an internal request/provisioning process you need people to follow (for example an ITSM solution or helpdesk).

Anyone can use invitation links to get access to your organization and start using a specific product. This is useful if you:

  • Want to get your team onboarded quickly.

  • Work with contractors or clients who need fast access.

Once you have shared an invitation link, anyone can use it to join your selected product. For this reason, you should only share links with people you trust. As an added security measure, links automatically expire after 30 days. To render old links invalid before the 30 day expiry period, you can turn off invitation links at any time or regenerate a new link.

To send an invitation link to someone:

  1. Go to admin.atlassian.com. Select your organization if you have more than one.

  2. Select Products from the header.

  3. From the left side of the page, select User access settings > Invitation links.

  4. Select the toggle for the product you want to create an invitation link for. The link will appear below the toggle. Users with the link will land in the product selected.

  5. Copy the invitation link and share it with users you want to give product access to.

Users who join via invitation links are added to the default access groups for that product.

Learn about default groups and permissions

 

Additional Help

On this pageApproved domainsConfigure how users with non-public domains access your productsUser invitesExisting user permissionsInvitation links
CommunityQuestions, discussions, and articles