Learn about security solutions and standards
Care about security? We do too. Learn what Atlassian does and what you can do too.
What is a data security policy?
A data security policy helps you keep your organization’s data secure by letting you govern how users, apps, and people outside of your organization can interact with content such as Confluence pages and Jira issues.
Data security policies take a content-based approach to governing how your data in Atlassian products can be used. This is different to a user-based approach that relies on giving or revoking specific permissions that allow users or apps to perform certain actions.
What’s in a policy?
There are two main elements of a data security policy: the policy coverage and policy rules.
The policy coverage is the scope of products, spaces, projects, or classification levels that a policy applies to. A product, space, or project can be part of more than one policy.
Policy rules are security controls that are available to be configured as part of a policy. What data security policy rules are available?
Policy name and description: Name of the policy and an optional description to help give context for the policy.
Policy metadata and status: Information about the person who created and last updated the policy, and an indication of whether the policy is active or not.
Policy coverage: The data that the policy applies to.
Policy rule: A security control configured as part of a policy, and enforced for the data specified in the policy coverage.
Example
This is an example of two different policies set up by Acme Inc.
In this example, Policy 1 covers Acme’s products that contain personally identifiable information (PII) and has the security requirements to not allow users to download content, not allow apps access to data, and not allow anyone the ability to enable anonymous access to these products.
Policy 2 covers Acme’s products that contain information not approved for public distribution and has the security requirements to not allow users to download content and not allow anyone the ability to enable anonymous access to these products.
Two of Acme’s products are covered by both Policy 1 and Policy 2. Data security policies are additive, which means any product that is included in more than one policy is subject to all the policy rules specified by all the policies that cover that product.
Availability
Data classification is currently only available through the Atlassian Information Security Beta program. If you’re not part of the program, subscribe to our Cloud roadmap to be informed when this feature becomes generally available.
Not all rules and coverage types are available for every product. Some rules and coverage types also require a particular plan.
Rules | Coverage type: Spaces and projects | Coverage type: Products | Coverage type: Classification levels |
|---|---|---|---|
Anonymous access rule | Not available | Not available | Products: Jira Plan: Atlassian Information Security Beta program |
Data export rule | Not available | Products: Confluence Plan: Atlassian Access | Products: Jira, Confluence Plan: Atlassian Information Security Beta program |
Public links rule | Not available | Products: Confluence Plan: Atlassian Access | Products: Confluence Plan: Atlassian Information Security Beta program |
App access rule | Products: Confluence, Jira Plan: No additional plan required, but Atlassian Access provides extra capabilities | Not available | Not available |
What happens if I cancel my subscription?
Some data security policy rules and coverage types require an Atlassian Access subscription.
If you cancel your subscription your existing policies will still be enforced, but any rules or coverage that require Atlassian Access can’t be edited or changed until you restart your subscription. If you don’t plan to restart your subscription you can disable or delete the polices you no longer need.
If your policy blocks app access to data for selected apps, you’ll have the option to switch to block all apps, which does not require an Atlassian Access subscription.
Was this helpful?