> ## Documentation Index
> Fetch the complete documentation index at: https://docs.oleria.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Atlassian Cloud

> Connect your Atlassian Cloud organization to Oleria to continuously discover and map who has access across your organization.

Connect your Atlassian Cloud organization to Oleria to gain continuous visibility into who has access across your organization, and to remediate risky access directly from Oleria. Oleria reads identity, access, and audit data from the Atlassian Organization Admin API, so you can see every account, group, role, and access change in one place. This page provides step-by-step guidance for connecting Atlassian Cloud to Oleria.

## What Oleria discovers

Once connected, Oleria continuously discovers and maps the following from your Atlassian organization:

* **Accounts** - managed users across every directory in the organization, including account status and job details.
* **Groups and roles** - native groups, role assignments, and the membership relationships between users, groups, and roles.
* **Identity directories** - each directory in the organization, including identity provider (IdP) synced directories.
* **Audit activity** - organization-wide audit events such as group and membership changes, access configuration changes, user lifecycle events, and policy changes.
* **Security posture** - account status on any plan, plus multi-factor authentication (MFA) enrollment when you have Atlassian Guard Standard.

## Prerequisites

* Organization admin role on the Atlassian organization (site, workspace, or product admin alone is not sufficient)
* At least one verified domain in the Atlassian organization, so that accounts are returned as managed users
* Atlassian Guard Standard subscription, required for full audit event coverage and MFA status (basic account, group, and directory discovery works on any plan)

## Create an API key in Atlassian

Oleria connects using an organization API key issued from the Atlassian admin console.

<Steps>
  <Step title="Sign in to Atlassian Admin">
    Sign in to [Atlassian Admin](https://admin.atlassian.com/) as an organization admin and select your organization from the org switcher.
  </Step>

  <Step title="Create the API key">
    Navigate to **Settings** → **API keys** and select **Create API key**. Give it a recognizable name such as `Oleria connector`.

    You can create an unscoped key for the simplest setup, or create an **API key with scopes** for least privilege access. An unscoped key covers both discovery and remediation. If you scope the key, grant the following:

    | Capability       | Scope                          | Used for                                         |
    | :--------------- | :----------------------------- | :----------------------------------------------- |
    | Accounts         | `read:accounts:admin`          | Discovery                                        |
    | Groups           | `read:groups:admin`            | Discovery                                        |
    | Directories      | `read:directories:admin`       | Discovery                                        |
    | Events           | `read:events:admin`            | Discovery (audit activity)                       |
    | Guard detection  | `read:policies:admin`          | Detect Atlassian Guard, which enables MFA status |
    | User lifecycle   | `manage:user:lifecycle`        | Remediation (disable user)                       |
    | Group membership | `manage:org-user:group-member` | Remediation (remove from group)                  |

    Multi-factor authentication (MFA) status, account status, and role assignments do not need their own scopes. MFA and account status come back with each account, so they are covered by `read:accounts:admin` and `read:directories:admin`, and role assignments are read from the directory, so they are covered by `read:directories:admin` (together with `read:groups:admin` for group roles).

    <Note>
      The two `manage:` scopes are only required if you want Oleria to take remediation actions. Omit them for read-only discovery.

      Atlassian does not publish a scope for every endpoint Oleria reads. With a scoped key, any endpoint that has no matching scope is simply skipped, so you may see partial discovery (an object type quietly never appears) with no error to point at. Use an unscoped key for full, guaranteed coverage. Scopes also cannot be changed after a key is created, so to adjust them you must rotate to a new key.
    </Note>
  </Step>

  <Step title="Copy your organization ID and API key">
    Copy and save the following values - you will need them when connecting in Oleria:

    * **Organization ID** - the UUID found in the admin console URL, in the form `admin.atlassian.com/o/{orgId}/...`
    * **API key** - the key value shown when you create the key

    <Warning>
      The API key is shown only once and cannot exceed a 1-year lifetime. Store it securely, note the expiry date, and rotate it before it expires to avoid an interruption in discovery.
    </Warning>
  </Step>
</Steps>

## Connect Atlassian Cloud to Oleria

<Steps>
  <Step title="Open the integration">
    Go to your Oleria workspace, select **Integrations** → select **Atlassian Cloud**.
  </Step>

  <Step title="Complete the connection form">
    Select **Continue** and fill in the connection form:

    | Field           | Notes                                                                                          |
    | :-------------- | :--------------------------------------------------------------------------------------------- |
    | Instance name   | Optional. Use a short, recognizable label (e.g. oleria-atlassian-prod).                        |
    | Organization ID | Required. Paste the organization UUID from the Atlassian admin console URL.                    |
    | API key         | Required. Paste the organization API key from Atlassian.                                       |
    | API key expiry  | Optional. Enter the key's expiry date (`YYYY-MM-DD`) so Oleria can warn you before it expires. |
  </Step>

  <Step title="Save the integration">
    Select **Connect** to validate and save the integration.
  </Step>
</Steps>

## Verify the integration

Confirm the Atlassian Cloud instance appears in your Oleria workspace connected integrations. After the first sync completes, you can review the discovered accounts, groups, and access in your Oleria workspace.

<Note>
  When you rotate the Atlassian API key, update the API key (and expiry date) in Oleria by editing the integration. An expired key will cause discovery to stop.
</Note>

## Remediation actions

Beyond discovery, Oleria can act on Atlassian access to remediate risk. The following actions are supported, and each can be reverted:

| Action                 | What it does                                                                             | Revert                         |
| :--------------------- | :--------------------------------------------------------------------------------------- | :----------------------------- |
| Disable user account   | Suspends the user's product access across the entire Atlassian organization.             | Re-enables the user's access.  |
| Remove user from group | Removes the user from a specific directory group, revoking the access that group grants. | Re-adds the user to the group. |

<Note>
  Remediation requires an API key with the `manage:user:lifecycle` and `manage:org-user:group-member` scopes, or an unscoped key. A read-only key can still perform discovery but will return a permission error when an action runs.
</Note>

## Contact us

For questions about this integration, contact us at [support@oleria.com](mailto:support@oleria.com).
