What is a data security policy?
A data security policy helps you keep your organization’s data secure by letting you govern how users, apps, and people outside of your organization can interact with content such as Confluence pages and Jira issues.
Data security policies take a content-based approach to governing how your data in Atlassian products can be used. This is different to a user-based approach that relies on giving or revoking specific permissions that allow users or apps to perform certain actions.
What’s in a policy?
There are two main elements of a data security policy: the policy coverage and policy rules.
The policy coverage is the scope of products, spaces, projects, or classification levels that a policy applies to. A product, space, or project can be part of more than one policy.
Policy rules are security controls that are available to be configured as part of a policy. What data security policy rules are available?
Policy details: Name of the policy, an optional description to help give context for the policy and information about the person who created the policy, and whether the policy is active or not.
Policy coverage: The data that the policy applies to.
Policy rules: The security controls added to the policy, and enforced for the data specified in the policy coverage.
Example
This is an example of two different policies set up by Acme Inc.
In this example, Policy 1 covers Acme’s products that contain personally identifiable information (PII) and has the security requirements to not allow users to download content, not allow apps access to data, and not allow anyone the ability to enable anonymous access to these products.
Policy 2 covers Acme’s products that contain information not approved for public distribution and has the security requirements to not allow users to download content and not allow anyone the ability to enable anonymous access to these products.
Two of Acme’s products are covered by both Policy 1 and Policy 2. Data security policies are additive, which means any product that is included in more than one policy is subject to all the policy rules specified by all the policies that cover that product.
Availability
Not all rules and coverage types are available for every product. Some rules and coverage types also require a particular plan.
Rules | Coverage type: Spaces and projects | Coverage type: Products | Coverage type: Classification levels |
---|---|---|---|
Anonymous access rule | Products: Jira, Confluence Plan: Atlassian Guard Standard | Products: Jira, Confluence Plan: Atlassian Guard Standard | Products: Jira, Confluence Plan: Atlassian Guard Premium |
Data export rule | Products: Jira, Confluence Plan: Atlassian Guard Standard | Products: Jira, Confluence Plan: Atlassian Guard Standard | Products: Jira, Confluence Plan: Atlassian Guard Premium |
Public links rule | Products: Confluence Plan: Atlassian Guard Standard | Products: Confluence Plan: Atlassian Guard Standard | Products: Confluence Plan: Atlassian Guard Premium |
App access rule | Products: Confluence, Jira Plan: No additional plan required, but Atlassian Guard Standard provides extra capabilities | Not available | Not available |
What happens if I cancel my subscription?
Some data security policy rules and coverage types require an Atlassian Guard Standard subscription.
If you cancel your subscription your existing policies will still be enforced, but any rules or coverage that require Atlassian Guard Standard can’t be edited or changed until you restart your subscription. If you don’t plan to restart your subscription you can disable or delete the polices you no longer need.
If your policy blocks app access to data for selected apps, you’ll have the option to switch to block all apps, which does not require an Atlassian Guard Standard subscription.
Was this helpful?