# Provisioning for Atlassian
### Overview
The Veza integration for Atlassian Cloud enables user provisioning and deprovisioning, with support for group membership management and attribute synchronization across Atlassian Cloud Admin, Jira Cloud, Confluence Cloud, and Bitbucket Cloud.
| Action Type | Description | Supported |
| --------------------- | ---------------------------------------------------------------------------------------------------------------- | --------- |
| SYNC\_IDENTITIES | Synchronizes identity attributes between systems, with options to create new identities and update existing ones | ✅ |
| MANAGE\_RELATIONSHIPS | Controls entitlements such as group memberships and role assignments for identities | ✅ |
| DEPROVISION\_IDENTITY | Safely removes or disables access for identities | ✅ |
| DELETE\_IDENTITY | Permanently deletes the user account and associated data | ✅ |
This document includes steps to enable the Atlassian Cloud integration for provisioning, along with supported actions and notes. See [Supported Actions](#supported-actions) for more details.
### Enabling provisioning
#### Prerequisites
Before enabling provisioning for Atlassian Cloud, ensure you have the necessary access and configuration in place. You'll need administrative access in both Veza and Atlassian Cloud to complete the setup process.
**Veza Requirements:**
* Administrative access to configure integrations
* An existing [Atlassian Cloud integration](/4yItIzMvkpAvMVFAamTf/integrations/integrations/atlassian.md) that has completed at least one successful extraction
**Atlassian Cloud Requirements:**
* Administrative access to manage API keys and SCIM configuration
* An active SCIM directory configured in your Atlassian Cloud organization
* Proper API permissions for both SCIM and Atlassian Cloud Admin APIs
#### Required Configuration Parameters
The following parameters are required to enable provisioning operations:
| Parameter | Description | Purpose |
| ------------------------------------------------- | ----------------------------------------------------- | --------------------------------------- |
| **SCIM URL** (`scim_url`) | The SCIM endpoint URL for your Atlassian organization | User provisioning and deprovisioning |
| **SCIM Token** (`scim_token`) | Authentication token for SCIM API access | Authenticates user lifecycle operations |
| **Admin API Key** (`admin_api_key`) | API key for Atlassian Cloud Admin API | Group management and ID mapping |
| **SCIM Organization ID** (`scim_organization_id`) | Your organization's SCIM identifier | Coordinates operations across APIs |
The integration automatically extracts the directory ID from your SCIM URL and uses it alongside the organization ID to coordinate user and group operations.
**Optional Parameters**: If you're also using the integration for discovery operations (viewing Jira projects, Confluence spaces, and Bitbucket repositories in Veza), you'll need `product_token` and `product_user`. These parameters are not required for provisioning operations and can be omitted if you're only performing user provisioning and group management.
#### Configuration Steps
Complete the following steps in Veza to enable and configure provisioning for your Atlassian Cloud integration.
**Enable provisioning:**
1. Navigate to the **Integrations** overview in Veza
2. Locate your Atlassian Cloud integration (or create a new one if needed)
3. Check the box to **Enable usage for Provisioning**
**Configure Data Synchronization:**
Configure the extraction schedule to ensure Atlassian Cloud user and group data remains current. Go to **Administration** > **System Settings**, then navigate to **Pipeline** > **Extraction Interval**. Set your preferred interval for data synchronization, or create a custom override specifically for Atlassian Cloud in the *Active Overrides* section if you need more frequent updates than your default schedule.
**Verify Configuration:**
After enabling provisioning, verify the integration is functioning correctly by navigating to **Lifecycle Management** > **Integrations** (in the Products section of the navigation sidebar), or the main **Integrations** page (in the Featured section). Locate your Atlassian Cloud integration and click its name to view details. In the **Properties** panel, click the magnifying glass icon under **Lifecycle Management Enabled** to check the health status.
### Supported Actions
Atlassian Cloud can be a *target* for identity management actions, based on changes in another external source of truth or as part of a workflow.
The integration supports the following [Actions](/4yItIzMvkpAvMVFAamTf/features/lifecycle-management/policies-workflows/actions.md):
#### Sync Identities
The Sync Identities action creates new user accounts or updates existing ones in Atlassian Cloud. User provisioning occurs through the SCIM directory API, which ensures that email addresses remain unique across your Atlassian organization. When you create or update a user, Veza automatically establishes cross-service connections between the Cloud Admin user account and their corresponding accounts in Jira, Confluence, and Bitbucket.
* **Entity Types:** Atlassian Cloud User
* **Create Allowed:** Yes
Atlassian Cloud User Attributes
| Attribute | Required | Type | Description | SCIM Mapping | Notes |
| ------------- | -------- | ------ | -------------------- | ---------------- | ------------------------------------------ |
| email | Yes | String | User's email address | `userName` | Unique identifier across the organization |
| name | No | String | User's full name | `name.formatted` | Combined first and last name |
| display\_name | No | String | User's display name | `displayName` | How the user appears in Atlassian products |
The `active` status is managed automatically during provisioning and deprovisioning operations and is not available as a sync attribute. When you sync user attributes, Veza translates them to the appropriate SCIM fields shown in the table above before sending them to Atlassian's SCIM API.
#### Manage Relationships
* **Supported Relationship Types:**
* **AtlassianCloudAdminGroup:** Group membership (controls access across Jira, Confluence, and Bitbucket)
* **Assignee Types:** Atlassian Cloud User
* **Supports Removing Relationships:** Yes
The Manage Relationships action controls group memberships for users across Atlassian Cloud. You can add users to groups or remove them, with changes synchronized across Atlassian Cloud Admin and all associated products (Jira, Confluence, and Bitbucket). All membership changes are tracked automatically for audit purposes, providing visibility into access modifications over time.
Atlassian Cloud groups can control various types of access, including product-level permissions (such as access to specific Jira projects or Confluence spaces), administrative roles within Atlassian Cloud Admin, site-wide permissions and policies, and integration settings with external identity providers. When you modify a user's group memberships through Veza, these changes apply consistently across all products where the group has assigned permissions.
**Important:** Groups must already exist in both the SCIM directory and Atlassian Cloud Admin before you can assign users to them. The integration does not support creating or deleting groups. See [Group Management Requirements](#group-management-requirements) for more details.
#### Deprovision Identity
The Deprovision Identity action safely removes user access while preserving audit trails for compliance. When you deprovision a user, their account is deactivated through the SCIM API and all group memberships are automatically removed across Atlassian Cloud Admin, Jira, Confluence, and Bitbucket. While the user can no longer access any Atlassian products, their account information and cross-service connection history are preserved to maintain audit trails and historical visibility for compliance reporting.
#### Delete Identity
The Delete Identity action permanently removes the user account and associated data from Atlassian Cloud. When you delete a user, their account is permanently deleted through the SCIM API, not just deactivated. Unlike deprovisioning, this operation cannot be reversed and should be used with caution only when permanent removal is required.
### Current Limitations
The following operations are **not supported** in the current implementation:
* **User Logout**: Cannot force user logout from Atlassian products
* **License Management**: Cannot remove specific licenses from users
* **Device Management**: Cannot manage or remove personal devices
* **Password Management**: Password operations are handled through SCIM only
### Group Management Requirements
Managing group memberships in Atlassian Cloud requires coordination between the SCIM directory and Atlassian Cloud Admin.
**Key requirements and limitations:**
* **Groups must already exist in both systems:** You can only assign users to groups that are present in both the SCIM directory and Atlassian Cloud Admin. The integration does not support creating or deleting groups.
* **Display name matching:** When modifying group memberships, Veza uses display name matching to identify the corresponding group in each system.
* **Automatic ID mapping:** The integration automatically maps the correct SCIM group ID and Atlassian group ID for each operation.
### Technical Architecture
The Atlassian Cloud integration uses a dual-API architecture to provide provisioning capabilities.
User provisioning, deprovisioning, and attribute updates are handled via Atlassian's SCIM API, ensuring email uniqueness and maintaining user account consistency.
Group membership management uses the Atlassian Cloud Admin API, which provides the functionality to add and remove users from groups across all products. **ID Mapping and Coordination:**
To maintain consistency across systems, the integration performs complex ID mapping between SCIM identifiers and Atlassian identifiers. SCIM User IDs are mapped to Atlassian Account IDs, and SCIM Group IDs are mapped to Atlassian Group IDs. The integration automatically extracts the directory ID from your SCIM URL and uses your organization ID to coordinate these operations. This ensures that changes made through Veza are reflected accurately in both the SCIM directory and across all Atlassian products.
### Workflow Examples
#### Employee Onboarding
Automate the provisioning of new employees into Atlassian Cloud:
1. **Create User Account**: New user account is created via SCIM with basic profile information
2. **Assign Base Groups**: User is added to organization-wide groups for general access
3. **Product Access**: User is granted access to specific products (Jira, Confluence, Bitbucket) based on role
4. **Department Groups**: User is added to department-specific groups for project and space access
#### Role Change Management
Handle employee role changes and access updates:
1. **Update User Attributes**: User profile information is updated to reflect new role
2. **Remove Previous Access**: User is removed from role-specific groups and permissions
3. **Grant New Access**: User is added to groups appropriate for their new role
4. **Cross-Product Sync**: Changes are propagated across all Atlassian products
#### Employee Offboarding
Safely remove access when employees leave:
1. **Deactivate Account**: User account is disabled via SCIM
2. **Remove All Groups**: User is removed from all groups and permissions
3. **Revoke Product Access**: Access is revoked across Jira, Confluence, and Bitbucket
4. **Audit Trail**: All changes are logged for compliance and historical tracking
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/atlassian/provisioning.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.