Do you need Atlassian Access? A Comprehensive Guide

Posted on 08.05.2021
-
Written by Blanca Vazquez
-

If your company has attempted to set up SAML Single Sign-On (SSO), two-step verification, and/or API token controls in Atlassian’s Cloud, you’ve encountered the need for Atlassian Access—Atlassian’s solution for enterprise-level user management and security in the Cloud. 

Atlassian customers often ask us if Atlassian Access is essential to their Jira Software, Jira Work Management, Jira Service Management, Confluence, or BitBucket instance. The answer to that question is typically “yes”—however, it is not a requirement for every organization. 

Oxalis has compiled a list of the most frequently asked questions surrounding Atlassian Access and provided answers in this post. In this blog you will learn about Atlassian Access usage, the Atlassian Access pricing model, and key considerations for your organization.

An important note: Atlassian Access is only available in Atlassian’s Cloud. If you are interested in user management and security solutions for Data Center instances, contact us and we’ll provide you with information for your specific configuration. 

Are there questions we missed? Message us and let us know—plus we’ll provide you with an answer. 

What is Atlassian Access?

According to Atlassian, Access is “…your enterprise-wide subscription for enhanced security and centralized administration that works across every Atlassian cloud product used at your organization including Jira Software, Jira Service Management, Confluence, Bitbucket, Trello, and Statuspage.” 

To us, Atlassian Access is the bottom line security requirement for operating enhanced security and user management within Atlassian Cloud products. Atlassian Access is a necessity if your organization would like to set up SSO or user and group provisioning with Atlassian Cloud products.

What are the benefits of Atlassian Access?

When thinking about Atlassian products, think about user Identity Management and the level of security you require for your business. Simply stated, Atlassian access is what allows you to enable a scaled administrative and security framework for your users.

Access will afford you more security features such as SAML and SSO integration to existing identity providers in a federated model. This will allow for centralized administrative capability in an established IT organization. More information is available from Atlassian here.

If you are small or just starting out in the Atlassian ecosystem, you may choose to forgo this product to get used to Atlassian tools and because you don’t mind an extra login or google login integration.

For enterprise or large business customers, this product is essential for integration into existing SSO like Okta, or into Azure Active Directory. You are going to want this tool to protect your Atlassian tools and data under a strong user identity.

At Oxalis, we strongly advise you do your homework before enabling advanced enterprise identity solutions such as this. It is not simply a feature you turn on. You’ll want to consider your user identity management strategy and policies before moving forward.

Atlassian Access Pricing: What is the Atlassian Access Pricing model?

First 10 – 250 UsersNext 251 – 1000 UsersNext 1000+
$3 per user$2 per user$1 per user

Atlassian Access pricing uses a tiered pricing structure, similar to their other products. You can either pay monthly or annually (see more below), with user volume discounts.

It’s worth noting that when you go up a user tier (Read: Next 251 – 1000), only those users who are past the 251 user count will be billed at the $2 rate. The first 250 users are still $3 per user. 

How are users calculated?

Each billing cycle, you will be charged once for each unique user provisioned to an Atlassian Access-supported product (Jira Software, Jira Service Management, Confluence, Trello, Bitbucket, etc.) no matter how many products they use. This means if Jane has access to Jira Software, Confluence, and Bitbucket, she’ll only count once toward your Atlassian Access licensing cost. If John has access to Trello-only, and is subject to your Atlassian Access SSO policy, he will also count once toward your Atlassian Access licensing cost.

You can purchase Atlassian Access in the following ways:

  • Monthly: Atlassian offers a monthly subscription option, where businesses can pay per user. The monthly subscription is more flexible with users—with a monthly subscription you only pay for the number of users that are on the account. The more users you have, the less your subscription is per user. 
  • Annual: There are several reasons to bill Atlassian Access annually. 
    • Leveraging your User Tier: First and foremost, there are potential cost savings should your user count fall toward the top end of a user tier (generally within the top ten percent). For example, if you have 170 Atlassian Access users, it would cost $510 per month or $6,120 per year if you went the monthly route; however, if you paid annually for that user tier (101-200), you’d receive the flat rate $6,000 per year and have 30 seats left over for when your business grows. 
    • Simple Billing: Your Atlassian Access quote will bill alongside your Jira Software Jira, Jira Service Management, Jira Work Management, Confluence, etc. license. This way there will not be fluctuating costs month-to-month based on user changes.  

Key Note: Atlassian Access is included with Jira Cloud Enterprise subscription. There is no additional cost. However, if you are considering cloud standard or premium, be ready to pay for Atlassian Access. You will most likely need it to enable your SSO or Active Directory sign on capabilities.

The only way to purchase an annual Atlassian license is through an Atlassian authorized reseller like Oxalis—we are an Atlassian solution partner who not only ensures you’re getting the best deal on your current products but ensures any future products are leveraging discounts and not causing any redundancies. Read more about license optimization here. 

What does it mean to “Claim User Accounts” with Atlassian Access?

If you’ve tried to set up Atlassian Access in the past, you’ve likely been asked to Claim User Accounts after verifying your domain with Atlassian.

What this does is enables Atlassian to comb their user databases for any user that has set up an account with your company domain, no matter which Atlassian product they signed up for. They use this number to bill your company for Access since any user with your company’s domain will need to be included. 

This number can very often be larger than customers expect, especially for large enterprises who are trying to get Access to only their Jira Software, Confluence, or Jira Service Management instance. However, since software like Trello and Jira Core are included in this count, there are generally unexpected and inflated numbers. We recommend doing a full user audit to ensure any unused accounts are deactivated or transferred to personal email addresses before purchasing.

Please note, Atlassian Access has made adjustments to their pricing model and no longer require you to pay for all accounts discovered in the domain claim. You may now selectively license your users.

UPDATE: Thanks in large part to customer feedback about the domain claim process, Atlassian announced that companies will have the option to select user groups that can be excluded from the Access group and therefore will be able to exclude user groups from their billing policy. This change occurred Quarter 2, 2021. 

Can you apply SSO on Jira without Atlassian Access?

No. Atlassian Access is the only avenue for companies to have SAML SSO in the Cloud. 

Is Atlassian Access actually just SAML Single Sign On (SSO)? 

The short answer to this is no, however, you cannot have SAML SSO with Jira Software/Confluence/Jira Service Management without Atlassian Access.

Atlassian Access is a consumer downstream of your IDP (identity provider) which might be Azure AD or Okta. Both of these solutions are supported and documented by Access. 

However, setting up Access with Azure AD or Okta presents some challenges. If you’re migrating from Server to Cloud (which you should if you’re not already—see our post about Atlassian Server End of Life coming soon), user identification may change as the source of truth goes from Azure SSO to Okta. Oxalis has successfully implemented Atlassian Access for everything from small business to enterprise, and we know the trap doors to avoid. We work with Atlassian to ensure there are no interruptions in service and the switchover doesn’t cause any user corruption. 

If your company needs to implement Atlassian Access in the Cloud, contact us for a consultation.

How do I set up Atlassian Access?

Because Atlassian Access applies to all Atlassian accounts, turning on Access has wide ranging impacts that need to be considered enterprise-wide. This means that turning on Access cannot fall under a single department or initiative. 

For example:

  • Another team already implemented access as part of their rollout. Adding users for the additional product will have license costs to be managed.
  • Another team is using an Atlassian product but without Atlassian Access – turning on Access will pull them and their users in.
  • You have employees using their work email accounts with Trello for free. While there will be no license costs for Trello, that user WILL have a fee for being a managed account in Access.
    • As noted above, user management is changing soon. Stay tuned for more information.

All of these scenarios are manageable, but they do require planning, coordination, and end-user change management, along with understanding the license fee implications.

  1. Create an Organization: Atlassian defines this as “a management layer that gives admins the ability to view and apply controls to all Atlassian accounts using an email address belonging to their company.” 
  2. Verify the Domain: To start, you’ll likely need to input some txt files to your domain’s DNS entry. After that, this is the aforementioned step where companies bring all Atlassian accounts under their billing organization using email addresses from their owned domains. This number is usually surprisingly large, and the number one culprit is free Trello accounts created with company emails. 
  3. Plan your Change: Typically, you’ll have uncovered a lot of “Free” Trello accounts that will inflate your Access cost.
    1. Check how many are old/unused – they can be deactivated so that they won’t count towards your license fees.
    2. Is there overlap with the users you’re planning on serving?
    3. Encourage users to switch to personal email accounts if not using Trello for work purposes.
    4. Regardless, you’ll need to communicate to users that how they log in will be changing to your SSO.
    5. Potentially, budget for the increased users in Access.
  4. Claim your Users: Once you have informed users and planned for the forthcoming changes, claim your users.
  5. Configure User Provisioning within Access: If you want (and you really should want) to manage your user creation, deactivation, and permissions in your central directory, you’ll need to set up automatic User Provisioning. Unlike in Atlassian’s Server and Data Center products which could synchronize using LDAP, Atlassian Access user provisioning exclusively uses SCIM.
  6. Monitoring: Make sure to stay up-to-date on the user count in case employees sign up for free Trello accounts with their company email. Whether you go with a monthly subscription or annual, you’ll need to be sure that the accounts are being set up with the purpose to keep from inflated Access costs. 

Is Atlassian Access available on Data Center? 

No. If you’re on Data Center, Atlassian has Crowd as a SAML SSO and Identity Management solution called Crowd.

If you’re on Server-edition products, there are a variety of plugins. However, we cannot recommend any of them as Atlassian has ended the sale and will end the support of their Server products by February 2024. Rather than implement another SSO at this point, we would recommend migrating to Data Center or Cloud as soon as possible. 

Learn why organizations are embracing multiple authentication policies. Download the whitepaper with a practical guide to securing your organization with Atlassian Access. Contact us for more information.

What’s inside:

Find more abour Atlassian Access in this whitepaper, you’ll learn:

  • The benefits of multitple authentication policies
  • How to craft different authentication policies
  • Custom-build unique authentication policies with Atlassian Access

So, do I need Atlassian Access?

If you are an Enterprise migrating to Atlassian’s Cloud products, the answer is almost unequivocally yes. Atlassian all-but requires Access for Cloud organizations that require a certain amount of security provisions. For smaller organizations, under 20 users or 10 agents, then the extra cost may not be essential—Atlassian has robust security features built-in. However, if you would like to use Okta, Azure AD, OneLogin, Google Cloud, or PingFederate, then Access is for you.

Contact us

Want to dive deeper? Leave us a message for an analysis of your current configuration and develop a plan for implementing Atlassian Access.

Get the conversation started!

Feel free to send us a message in the form below. We’re very approachable and would like to talk more about how we can meet your needs: