• Products
  • Documentation
  • Resources

Available external user security policy and settings

External user security includes these two types of policies for each organization.

  1. External user policy

  2. Test policy

External user policy

An external user policy allows you to apply security settings to external users. The settings apply to all the external users in your Atlassian organization.

Test policy

A test policy allows you to test external user security settings for a few users before you roll them out to all your external users. You can add up to 5 external users to a test policy.

After you turn the settings on, they may take a few minutes to apply to external users. When you’re ready to roll out external user security, you can turn the settings on for all your external users from the external user policy.
Learn how to set up a test policy

Review external users before you apply settings

Review the external users in your organization before you change security settings. To review external users and their details, you can export a CSV file of the external users. The export contains information about each external user in your organization.
Learn how to export users

Two-factor verification with one-time passcode

By default, we don't require external users to verify their identity with two-step verification. You need to turn settings on to require two-factor verification. When you turn settings on, all external users need to complete two factor-verification.

When external users try to access product data in your Atlassian organization, we ask them to verify their identity with a temporary one-time passcode that we email them. Learn about the one-time passcode experience for users

You can turn two-step verification on and off, but you're unable make any changes to the two-step verification setting.

Verification frequency

By default, we don't require external users to re-enter a one-time passcode. You need to turn settings on to require verification frequency.

You can choose how often users need to verify their identity. Your options for session length The session length is between 15 minutes and 30 days. When you set the session length, it only applies to your external users. The setting doesn't apply to managed accounts or mobile sessions.

We update the verification frequency when:

  • An external user session expires.

  • You reset sessions for external users.

  • The external user logs out and logs back in before the session expires.

We recommend letting your external users know about the updates you make.

Learn how to edit verification frequency

Reset sessions

A session is the amount of time an external user can access products in an organization before you log them out. When you turn settings on for a policy, you’re able to reset a session for the external users in the policy. We log out all external users in about ten minutes. External users need to verify their identity the next time they access your products.

We only reset web sessions but don’t reset mobile sessions.

Learn how to reset sessions

API token access

You’re able to control API token access to products in your organization with the API token access setting. This setting affects all external users within the organization.

Learn more about API token access

 

 

Additional Help