1 of 1

Atlassian Cloud Products

Configuring the Veza integration for Atlassian Cloud Admin, Jira Cloud, and Confluence Cloud.

Overview

This integration enables a connection between Veza and an Atlassian Cloud tenant to discover the following services:

Atlassian Cloud Admin
Bitbucket
Jira Cloud
Confluence Cloud

The integration includes cross-service connections to show relationships between IdP identities, Cloud Admin users and groups, and the local BitBucket, Confluence or Jira accounts those users can assume.

This integration deprecates the original OAA connectors for BitBucket Cloud, Jira and Confluence. You can now enable these products when configuring the Atlassian Cloud integration, and safely remove the original integrations. You should disable any integration secrets or service accounts that are no longer in use.

Configuring Atlassian Cloud

Two sets of credentials are required to enable the integration:

An admin API key, used to connect to the Cloud Admin API. See Manage an Organization With Admin APIS for more detail.
A user API key, used to connect to products such as Jira and Confluence. These are managed on a per-user basis. For more detail see Manage API Tokens for your Atlassian Account

Why is an administrator key required?

To provide a complete and accurate view of your users and groups, Veza needs to access Atlassian's User Management and Organizations REST APIs. These APIs contain authorization metadata that is not available using product-level APIs for non-admin users.

Veza uses the administrator key strictly for read-only purposes. The integration does not perform any administrative actions or make changes within your Atlassian Cloud environment.

Create a User for the Integration

We recommend creating a unique user for the integration. The integration user should have read-only permissions to all products to discover, for listing entities and permissions.

Log in to the Admin portal at admin.atlassian.com.
Open the Users List and click Invite Users.
Enter an email address for the invitation.
Grant the user access to the products the integration will discover.

The user status will change to active one you have accepted the invitation and accessed an Atlassian product.

See Create, Edit, and Delete Users for additional guidance.

Retrieve an Admin API Key

Veza connects to the Cloud Admin APIs to collect information about groups and users.

Log in to admin.atlassian.com.
Go to Settings > API Keys.
Choose Create API key.
Enter an identifying name for API key.
By default, keys expire in one week. To change the expiration date, pick a new Expires on date.
Select Create to save the API key Copy the Organization ID and API key values for configuring the integration on Veza.
Click Done. The key will appear in the list of API keys.

Retrieve Product API Key for a User

Atlassian product APIs enable access to individual services just as Jira or Confluence.

As the integration user, log in to https://id.atlassian.com/manage-profile/security/api-tokens.
Click Create API Token.
Enter a label for the token and click Create.
Copy the token, which will only appear once.

Configuring Atlassian Cloud on the Veza Platform

To enable the integration:

In Veza, go to Integrations and choose Add Integration.
Pick Atlassian Cloud as the integration to add and click Next.
Enter the required information and Save the configuration.

Field

Notes

Insight Point

Choose whether to use the default data plane or a deployed Insight Point.

Name

A friendly name to identify the unique integration.

Atlassian Url

Host URL, e.g. veza.atlassian.net.

Admin API Key

Admin token from the previous steps.

Products

Comma-separated list of products to discover (jira, confluence, bitbucket).

Product User

Integration username, e.g. [email protected].

Product Token

User API token from the previous steps.

Product Token

User API token from the previous steps.

Workspace

Optional Bitbucket workspace to connect to (shown in the login URL)

Skip Branch Protection Discovery

Optionally omit extraction of

If you do not enter an admin API key, Veza can still extract data from Jira & Confluence. It will not, however, be able to correlate Jira & Confluence users with users from identity providers.

Notes and Supported Entities

Atlassian Cloud Admin

Atlassian Cloud Tenant
- tenant_unique_id
Atlassian Cloud User
- account_type
- account_status
- access_billable
- product_access
- user_type

Limitations:

Admin API access: The integration user must be assigned to Bitbucket as an administrator to discover group permissions on repositories. This is optional. Without admin permission, the connector will discover users' effective permissions, which can be slower and will not indicate when these are derived through group membership.
Atlassian Cloud Admin is not able to discover external (unmanaged) users. External users have emails belonging to a domain outside of your organization, added manually to your Atlassian organization.
Atlassian and Jira support adding groups to groups to reduce duplication of entitlements but do not return the details on group assignments within groups via their public API. The integration will discover all users that are members of a group directly or indirectly but will not know if the user is directly assigned or inherited by group membership.

Bitbucket Cloud

Bitbucket Cloud Project
- name Project name
- key Project Key
- description Project Description
- is_private True if project is private
- has_publicly_visible_repos List of publicly visible repos
Bitbucket Cloud Repo
- name
- is_private
- slug
- project_key
- fork_policy
- default_branch_protected
Bitbucket Cloud Group
- name
Bitbucket Cloud User
- key User Id.
- emailAddress User's email address.
- name User's name
- displayName User's display name
- active True if user is active user
- deleted True if user deleted
Bitbucket Cloud Role
project_key Key of the project for respective role

Branch Protection Policies

For Bitbucket Cloud repositories, Veza collects branch protection policies on the default branch. The property default_branch_protected will be True if any type of branch protection is configured. Additionally, the following boolean properties are True indicating the specific type of policy:

allow_auto_merge_when_builds_pass
require_passing_builds_to_merge
enforce_merge_checks
require_approvals_to_merge
require_default_reviewer_approvals_to_merge
require_tasks_to_be_completed

Gathering branch protection policies will increase extraction time. You can disable this option when configuring the Atlassian Cloud integration.

Confluence Cloud

Confluence User
- account_type
- email
- external_collaborator
Confluence Space
- type
- status
- id
- unlicensed_access
- anonymous_access

Jira Cloud

Jira Group
Jira Instance
Jira Project
Jira Project Role (shown in Veza as <project name> - <role name>)
Jira User

Notes:

Due to Atlassian API limitations, the integration cannot currently retrieve Jira user attributes: createdAt, lastLoginAt, deactivatedAt, and lastChangeAt.
As roles are defined on a per-project basis, and role names can be duplicated across a Jira Cloud instance, project roles are translated as <project name> - <role name>

Atlassian Cloud Products

Configuring the Veza integration for Atlassian Cloud Admin, Jira Cloud, and Confluence Cloud.

Overview

This integration enables a connection between Veza and an Atlassian Cloud tenant to discover the following services:

Atlassian Cloud Admin
Bitbucket
Jira Cloud
Confluence Cloud

Configuring Atlassian Cloud

Two sets of credentials are required to enable the integration:

An admin API key, used to connect to the Cloud Admin API. See Manage an Organization With Admin APIS for more detail.
A user API key, used to connect to products such as Jira and Confluence. These are managed on a per-user basis. For more detail see Manage API Tokens for your Atlassian Account

Why is an administrator key required?

Veza uses the administrator key strictly for read-only purposes. The integration does not perform any administrative actions or make changes within your Atlassian Cloud environment.

Create a User for the Integration

We recommend creating a unique user for the integration. The integration user should have read-only permissions to all products to discover, for listing entities and permissions.

Log in to the Admin portal at admin.atlassian.com.
Open the Users List and click Invite Users.
Enter an email address for the invitation.
Grant the user access to the products the integration will discover.

The user status will change to active one you have accepted the invitation and accessed an Atlassian product.

See Create, Edit, and Delete Users for additional guidance.

Retrieve an Admin API Key

Veza connects to the Cloud Admin APIs to collect information about groups and users.

Log in to admin.atlassian.com.
Go to Settings > API Keys.
Choose Create API key.
Enter an identifying name for API key.
By default, keys expire in one week. To change the expiration date, pick a new Expires on date.
Select Create to save the API key Copy the Organization ID and API key values for configuring the integration on Veza.
Click Done. The key will appear in the list of API keys.

Retrieve Product API Key for a User

Atlassian product APIs enable access to individual services just as Jira or Confluence.

As the integration user, log in to https://id.atlassian.com/manage-profile/security/api-tokens.
Click Create API Token.
Enter a label for the token and click Create.
Copy the token, which will only appear once.

Configuring Atlassian Cloud on the Veza Platform

To enable the integration:

In Veza, go to Integrations and choose Add Integration.
Pick Atlassian Cloud as the integration to add and click Next.
Enter the required information and Save the configuration.

Field

Notes

Insight Point

Choose whether to use the default data plane or a deployed Insight Point.

Name

A friendly name to identify the unique integration.

Atlassian Url

Host URL, e.g. veza.atlassian.net.

Admin API Key

Admin token from the previous steps.

Products

Comma-separated list of products to discover (jira, confluence, bitbucket).

Product User

Integration username, e.g. [email protected].

Product Token

User API token from the previous steps.

Product Token

User API token from the previous steps.

Workspace

Optional Bitbucket workspace to connect to (shown in the login URL)

Skip Branch Protection Discovery

Optionally omit extraction of

If you do not enter an admin API key, Veza can still extract data from Jira & Confluence. It will not, however, be able to correlate Jira & Confluence users with users from identity providers.

Notes and Supported Entities

Atlassian Cloud Admin

Atlassian Cloud Tenant
- tenant_unique_id
Atlassian Cloud User
- account_type
- account_status
- access_billable
- product_access
- user_type

Limitations:

Admin API access: The integration user must be assigned to Bitbucket as an administrator to discover group permissions on repositories. This is optional. Without admin permission, the connector will discover users' effective permissions, which can be slower and will not indicate when these are derived through group membership.
Atlassian Cloud Admin is not able to discover external (unmanaged) users. External users have emails belonging to a domain outside of your organization, added manually to your Atlassian organization.
Atlassian and Jira support adding groups to groups to reduce duplication of entitlements but do not return the details on group assignments within groups via their public API. The integration will discover all users that are members of a group directly or indirectly but will not know if the user is directly assigned or inherited by group membership.

Bitbucket Cloud

Bitbucket Cloud Project
- name Project name
- key Project Key
- description Project Description
- is_private True if project is private
- has_publicly_visible_repos List of publicly visible repos
Bitbucket Cloud Repo
- name
- is_private
- slug
- project_key
- fork_policy
- default_branch_protected
Bitbucket Cloud Group
- name
Bitbucket Cloud User
- key User Id.
- emailAddress User's email address.
- name User's name
- displayName User's display name
- active True if user is active user
- deleted True if user deleted
Bitbucket Cloud Role
project_key Key of the project for respective role

Branch Protection Policies

allow_auto_merge_when_builds_pass
require_passing_builds_to_merge
enforce_merge_checks
require_approvals_to_merge
require_default_reviewer_approvals_to_merge
require_tasks_to_be_completed

Gathering branch protection policies will increase extraction time. You can disable this option when configuring the Atlassian Cloud integration.

Confluence Cloud

Confluence User
- account_type
- email
- external_collaborator
Confluence Space
- type
- status
- id
- unlicensed_access
- anonymous_access

Jira Cloud

Jira Group
Jira Instance
Jira Project
Jira Project Role (shown in Veza as <project name> - <role name>)
Jira User

Notes:

Due to Atlassian API limitations, the integration cannot currently retrieve Jira user attributes: createdAt, lastLoginAt, deactivatedAt, and lastChangeAt.
As roles are defined on a per-project basis, and role names can be duplicated across a Jira Cloud instance, project roles are translated as <project name> - <role name>