Functionality of the "Invite Permissions" feature in a Bitbucket Cloud workspace
Platform Notice: Cloud Only - This article only applies to Atlassian apps on the cloud platform.
Summary
In this article, we explain how to restrict the domains to which repository and project admins (who are not Workspace administrators) can send invitations.
The "Invite Permissions" feature discussed in this article is available only to older workspaces that have user management in https://bitbucket.org/. It is NOT available to newer workspaces that have user management in Atlassian Admin.
For newer Bitbucket workspaces that have user management in Atlassian Admin, please check the documentation on controlling how users get access to apps.
Solution
We can overcome the above concern by enabling the Invite permissions option. The feature is available under Workspace Settings > Access controls.

Invite Permissions
When Admins only is selected in the Invite permissions dropdown, only workspace admins can invite new users. You can select this option to prevent Repository and Project admins from sending invitations to new users. Workspace admins can always send invitations to any domain.
When All members is selected in the Invite permissions dropdown, then workspace admins, project admins, and repository admins can invite new users to the workspace. If you select this option, you can restrict the domains to which Project and Repository admins can send invitations. Workspace admins will still be able to send invitations to any domain.
When the option All members is selected and a Repository or a Project admin invites a user to the workspace, this new user is added to the workspace's Default group. This allows workspace admins to review these users and add them to specific groups as required.

When workspace admins invite new users to a specific repo, the user is also added to the Default group.
Repository admins and Project admins can be limited to sending invitations to a specific domain or domains in the following way:
- On the Workspace Settings > Access controls page, select All members from the Invite permissions dropdown. 
- Select Update. 
- Select the link Add or Remove domains. 
- In the new dialog, enter the domain(s) you want to allow Repository and Project admins to send invitations to. Example: gmail.com. 
- Select Save.  
- Enable the option Restrict members sending invites to the following domains and select Update. - This will allow Repository and Project admins to invite only users from the specified domain(s) (in our example, gmail.com) to the workspace. If a Repository or Project admin attempts to invite a new user with an email address from a domain other than the ones we specified (in our example, "gmail.com"), they will see the following error message: - Workspace administrator has disallowed invitations to the domain: gmail.com
Was this helpful?