Atlassian Cloud

Overview

The Veza integration for Atlassian Cloud enables automated user lifecycle management, with support for user provisioning and deprovisioning, group membership management, and attribute synchronization across Atlassian Cloud Admin, Jira Cloud, Confluence Cloud, and Bitbucket Cloud.

This document includes steps to enable the Atlassian Cloud integration for use in Lifecycle Management, along with supported actions and notes. See Supported Actions for more details.

Enabling Lifecycle Management for Atlassian Cloud

Prerequisites

Before enabling Lifecycle Management for Atlassian Cloud, ensure you have the necessary access and configuration in place. You'll need administrative access in both Veza and Atlassian Cloud to complete the setup process.

Veza Requirements:

• Administrative access to configure integrations

• An existing Atlassian Cloud integration that has completed at least one successful extraction

Atlassian Cloud Requirements:

• Administrative access to manage API keys and SCIM configuration

• An active SCIM directory configured in your Atlassian Cloud organization

• Proper API permissions for both SCIM and Atlassian Cloud Admin APIs

Required Configuration Parameters

The following parameters are required to enable lifecycle management operations:

The integration automatically extracts the directory ID from your SCIM URL and uses it alongside the organization ID to coordinate user and group operations.

Optional Parameters: If you're also using the integration for discovery operations (viewing Jira projects, Confluence spaces, and Bitbucket repositories in Veza), you'll need product_token and product_user. These parameters are not required for lifecycle management operations and can be omitted if you're only performing user provisioning and group management.

Configuration Steps

Complete the following steps in Veza to enable and configure Lifecycle Management for your Atlassian Cloud integration.

Enable Lifecycle Management:

1. Navigate to the Integrations overview in Veza

2. Locate your Atlassian Cloud integration (or create a new one if needed)

3. Check the box to Enable usage for Lifecycle Management

Configure Data Synchronization:

Configure the extraction schedule to ensure Atlassian Cloud user and group data remains current. Go to Administration > System Settings, then navigate to Pipeline > Extraction Interval. Set your preferred interval for data synchronization, or create a custom override specifically for Atlassian Cloud in the Active Overrides section if you need more frequent updates than your default schedule.

Verify Configuration:

After enabling Lifecycle Management, verify the integration is functioning correctly by navigating to Lifecycle Management > Integrations (or the main Integrations overview). Locate your Atlassian Cloud integration and click its name to view details. In the Properties panel, click the magnifying glass icon under Lifecycle Management Enabled to check the health status.

Supported Actions

Atlassian Cloud can be a target for identity management actions, based on changes in another external source of truth or as part of a workflow.

The integration supports the following lifecycle management Actions:

Sync Identities

The Sync Identities action creates new user accounts or updates existing ones in Atlassian Cloud. User provisioning occurs through the SCIM directory API, which ensures that email addresses remain unique across your Atlassian organization. When you create or update a user, Veza automatically establishes cross-service connections between the Cloud Admin user account and their corresponding accounts in Jira, Confluence, and Bitbucket.

Supported User Attributes:

The active status is managed automatically during provisioning and deprovisioning operations and is not available as a sync attribute. When you sync user attributes, Veza translates them to the appropriate SCIM fields shown in the table above before sending them to Atlassian's SCIM API.

Manage Relationships

The Manage Relationships action controls group memberships for users across Atlassian Cloud. You can add users to groups or remove them, with changes synchronized across Atlassian Cloud Admin and all associated products (Jira, Confluence, and Bitbucket). All membership changes are tracked automatically for audit purposes, providing visibility into access modifications over time.

Atlassian Cloud groups can control various types of access, including product-level permissions (such as access to specific Jira projects or Confluence spaces), administrative roles within Atlassian Cloud Admin, site-wide permissions and policies, and integration settings with external identity providers. When you modify a user's group memberships through Veza, these changes apply consistently across all products where the group has assigned permissions.

Important: Groups must already exist in both the SCIM directory and Atlassian Cloud Admin before you can assign users to them. The integration does not support creating or deleting groups. See Group Management Requirements for more details.

Deprovision Identity

The Deprovision Identity action safely removes user access while preserving audit trails for compliance. When you deprovision a user, their account is deactivated through the SCIM API and all group memberships are automatically removed across Atlassian Cloud Admin, Jira, Confluence, and Bitbucket. While the user can no longer access any Atlassian products, their account information and cross-service connection history are preserved to maintain audit trails and historical visibility for compliance reporting.

Delete Identity

The Delete Identity action permanently removes the user account and associated data from Atlassian Cloud. When you delete a user, their account is permanently deleted through the SCIM API, not just deactivated. Unlike deprovisioning, this operation cannot be reversed and should be used with caution only when permanent removal is required.

Current Limitations

The following operations are not supported in the current implementation:

• User Logout: Cannot force user logout from Atlassian products

• License Management: Cannot remove specific licenses from users

• Device Management: Cannot manage or remove personal devices

• Password Management: Password operations are handled through SCIM only

Group Management Requirements

Managing group memberships in Atlassian Cloud requires coordination between the SCIM directory and Atlassian Cloud Admin.

Key requirements and limitations:

• Groups must already exist in both systems: You can only assign users to groups that are present in both the SCIM directory and Atlassian Cloud Admin. The integration does not support creating or deleting groups.

• Display name matching: When modifying group memberships, Veza uses display name matching to identify the corresponding group in each system.

• Automatic ID mapping: The integration automatically maps the correct SCIM group ID and Atlassian group ID for each operation.

Technical Architecture

The Atlassian Cloud integration uses a dual-API architecture to provide comprehensive lifecycle management capabilities.

User provisioning, deprovisioning, and attribute updates are handled via Atlassian's SCIM API, ensuring email uniqueness and maintaining user account consistency.

Group membership management uses the Atlassian Cloud Admin API, which provides the functionality to add and remove users from groups across all products. ID Mapping and Coordination:

To maintain consistency across systems, the integration performs complex ID mapping between SCIM identifiers and Atlassian identifiers. SCIM User IDs are mapped to Atlassian Account IDs, and SCIM Group IDs are mapped to Atlassian Group IDs. The integration automatically extracts the directory ID from your SCIM URL and uses your organization ID to coordinate these operations. This ensures that changes made through Veza are reflected accurately in both the SCIM directory and across all Atlassian products.

Workflow Examples

Employee Onboarding

Automate the provisioning of new employees into Atlassian Cloud:

1. Create User Account: New user account is created via SCIM with basic profile information

2. Assign Base Groups: User is added to organization-wide groups for general access

3. Product Access: User is granted access to specific products (Jira, Confluence, Bitbucket) based on role

4. Department Groups: User is added to department-specific groups for project and space access

Role Change Management

Handle employee role changes and access updates:

1. Update User Attributes: User profile information is updated to reflect new role

2. Remove Previous Access: User is removed from role-specific groups and permissions

3. Grant New Access: User is added to groups appropriate for their new role

4. Cross-Product Sync: Changes are propagated across all Atlassian products

Employee Offboarding

Safely remove access when employees leave:

1. Deactivate Account: User account is disabled via SCIM

2. Remove All Groups: User is removed from all groups and permissions

3. Revoke Product Access: Access is revoked across Jira, Confluence, and Bitbucket

4. Audit Trail: All changes are logged for compliance and historical tracking