Control access to your private content

If you want to control access to private content your individual account owns, you found the right page. If you'd like to set access controls for your workspace's private content, refer to Control access to your workspace's private content.

Bitbucket Premium

The options on the Access control page are Premium features for Bitbucket Cloud:

  • Require users to enable two-step verification (the two-step verification setting remains a Standard feature available to all users)

  • Restrict access to users on certain IP addresses

Learn more about Bitbucket Premium.

When administering repositories or other content, you give users permission to see, update, and administer that content. The Access controls page gives you another level of control, making sure users meet requirements to access those pages.

The access controls apply to users with access to any private content in your personal repositories.

To find the Access controls page:

  1. Click Settings on the left navigation of your workspace.

  2. On the Workspace settings page, select Access controls from the left navigation.

Here's a breakdown of the content that your users with access won't be able to see if you use any of the Access controls settings.

Bitbucket content

Public or private?

Two-step verification or allowlisted IPs required?






Wikis / Issue trackers*

Public (in a public or private repository)


Private (in a public or private repository)


* Wikis and issue trackers can be public/private independently of their parent repository's privacy setting.

Restricted content

Repository source code and Git data are restricted. Any metadata, such pull request titles, comments, repository name is not necessarily restricted.

Requiring two-step verification

If they haven't enabled two-step verification, users with access will see a message that prompts them to enable it. In addition to being unable to see this content, users won't be able to clone, push, or pull a private repository either.

To require two-step verification for access to private content:

  1. From the Access controls page, select the Require two-step verification option.

  2. Click Update to save your changes.

If you haven't already enabled two-step verification on your account, you need to enable it in your personal settings prior to setting up or requiring two-step verification for your workspace.

If you want to disable two-step verification on your account, you must deselect the Require two-step verification option on your workspace first.

Allowlisting IP addresses

If they aren't accessing from allowlisted IP addresses, users will see a message explaining why they have no access. In addition to being unable to see this content, users won't be able to clone, push, or pull a private repository either.

You can add IP addresses or network blocks for a set of IP addresses to an allowlist. If you are adding an individual IP address to an allowlist, we support IPv4 and IPv6. If you're entering a network block, we support CIDR notation, which is a standard for specifying a block of IP addresses. Refer to this CIDR notation section on Wikipedia for more details about how to use CIDR notation.

Here's some examples of values that you can add:






CIDR block

To add IP addresses to an allowlist for access to private content:

  1. From the Access controls page, select the Restrict access to certain IP addresses option.

  2. Click Add or remove IP addresses. A popup opens.

  3. Enter an IP address or a network block for a set of IP addresses.

  4.  Click Save to close the Add or remove IP addresses popup.

  5.  Click Update to save your changes.

Still need help?

The Atlassian Community is here for you.