Control access to private content in a workspace

PREMIUM FEATURE

Access control is a Bitbucket Cloud Premium feature with the following security benefits:

  • Requires all users to enable two-step verification

  • Allows you to restrict access to users on certain IP addresses

Learn more about Bitbucket Premium

Access control gives you another level of security, making sure users meet requirements to access your workspace and any private content.

You can only set up two-step verification and require allowlisted IP addresses for private repositories, wikis, issue trackers, and snippets. You cannot manage public content through Access controls.

Restricted content

Repository source code and Git data are restricted. Any metadata, such pull request titles, comments, repository name is not necessarily restricted.

Wikis and issue trackers can be public/private independently of their parent repository's privacy setting.

To find the Access control settings:

  1. From your profile avatar, select the workspace or All workspaces for a full list.

  2. Select the Settings cog on the top navigation bar.

  3. Select Workspace settings from the Settings dropdown menu.

  4. Select Access controls from the left navigation bar.

Requiring two-step verification

You can require that the users with access to private repositories or other private content are only able to see the content if they've enabled two-step verification. If they haven't enabled two-step verification, users with access will see a message that prompts them to enable it. In addition to being unable to see this content, users won't be able to clone, push, or pull a private repository either.

To require two-step verification for access to private content:

  1. From the Access controls page, select the Require two-step verification option.

  2. Click Update to save your changes.

If you want to disable two-step verification on your account, you must deselect the Require two-step verification option first.

Allowlisting IP addresses

You can require that users with access to private repositories or other private content are only able to see the content from certain IP addresses. If they aren't accessing from allowlisted IP addresses, users will see a message explaining why they have no access. In addition to being unable to see this content, users won't be able to clone, push, or pull a private repository either.

You can add IP addresses or network blocks for a set of IP addresses to an allowlist. If you are adding an individual IP address to an allowlist, we support IPv4 and IPv6. If you're entering a network block, we support CIDR notation, which is a standard for specifying a block of IP addresses. Refer to this CIDR notation section on Wikipedia for more details about how to use CIDR notation.

Here's some examples of values that you can add:

Type

Examples

IPv4

104.192.143.1

IPv6

2401:1d80:1010::150

CIDR block

104.192.143.0/28
104.192.143.16/29
104.192.143.24/322401:1d80:1010::/64
2401:1d80:1010::150/128 

To add IP addresses to an allowlist for access to private content:

  1. From the Access controls page, select the Restrict access to certain IP addresses option.

  2. Click Add or remove IP addresses. A popup opens.

  3. Enter an IP address or a network block for a set of IP addresses.

  4.  Click Save to close the Add or remove IP addresses popup.

  5.  Click Update to save your changes.

Workspace privacy enforcement

If you have a Premium plan, you can enable the Do not allow public content inside this workspace setting to require all content in the workspace to be private.

  1. Select the checkbox associated with the Do not allow public content inside this workspace setting.

  2. If there is public content in the workspace, the This workspace contains public content dialog will be displayed.

  3. Select the Manage public content button to open a list of projects containing public content in the workspace.

  4. Make any public content in the projects private. This could mean making repositories within the projects private as well as setting the project to private. You can also remove any public content, if that is necessary or fits better into your organization’s policies or workflows around privacy.

  • For more information on setting repository privacy, refer to Set repository privacy and forking options.

  • For more information on setting privacy for your issue tracker, refer to Make the tracker private or public.

  • For more information on setting privacy for a wiki, refer to Make a wiki private or public.

  • To query any public Bitbucket issues or wikis, use the following API call: https://api.bitbucket.org/2.0/repositories/{workspace_slug} ?fields= +values.wiki_private, +values.issues_private &q= (has_issues=true AND issues_private=false) OR (has_wiki=true AND wiki_private=false)

    • For more information on the encoding of ‘+’ in the provided API call and any other field parameters associated with this, refer to the field parameters syntax section of our developer documentation.

    • For more detailed information on this API call, refer to our REST APIs developer documentation.

If you would like to review or clean up any public content prior to enabling the Do not allow public content inside this workspace setting, you can select the ‘# of publicly visible projects’ link in the Private setting’s description.

 

Still need help?

The Atlassian Community is here for you.