Setup on Atlassian for Regulated Industries


23 Feb 2021
by Marion
Table of Contents

    Atlassian tools like Jira and Confluence are well known for their flexibility and customization. When most software developers prefer this flexibility over closed systems, the regulated industries may often fear that this flexibility could affect their compliance. There are aspects that you will have to consider when setting your organization up on Atlassian stack when you are in a regulated domain.

    We have broken it down to 3 areas that you must consider when setting your organization up on Atlassian stack when you are working in a regulated domain.

    Are we doing things in the right way?

    The first thing to consider is how to set up your organization’s processes in Jira and Confluence. Every organization works differently but regulations require each company to have well defined processes in the form of SOPs (Standard Operating Procedures). It’s crucial that you get most out of your tools by configuring them in a way that supports your existing processes.

    Each project in Jira has several areas of configuration that support you in setting up Jira to correspond to the processes in your organization. These include Jira issue workflows, notification schemes, and permission schemes. They will help you to force a specific process application by customizing task lifecycle, automatic notifications sent out by app and data security aspects.

    To read more about setting up notifications in Jira please see our recent post on it. Confluence has slightly fewer customization areas but in case you want to automate your document approval process, you should look into the specific app customization options, e.g. in the additional apps like “Comala Document Management”. More on this in one of our recent posts.

    Who can see what?

    The second aspect of configuration consideration in the regulated domains is securing your data so only the authorized users can see them. It is expected that you have procedures that define, at a high level, the different access levels to each tool.

    Jira and Confluence both provide great and easy to use tools to have your data security under control.

    To configure the security of Atlassian products we need to start from the high-level principles:

    • First level of access to your data is done on application access level. This can be controlled by your admins who can determine who has the right to log in to Jira, Confluence or other Atlassian apps. It does not provide any access to data yet. It’s about keeping the number of your user licenses under control.

    • After you have been given the right to a specific application like Jira or Confluence, your right to access a specific Jira Project or Confluence site is checked next. There are several ways to provide that access – via project role, user-group, special role, and so on. Make sure all your projects or sites have the same access management rules applied. Ask your Jira/Confluence admin to show this access process/pattern and do not allow exceptions. It’s all about security.

    • Roles in an organization can easily be mirrored also in your tools. In other words, do not let your tools admins tell you how they should manage access. Your organization should have a clear vision of who can view, edit or create what kind of content. Remember that admins often provide more access than is needed to decrease their own work load. It’s only human. Remember to use the “principle of least privilege”.

    To read more about securing your Confluence, please look at our blog posts on roles in Confluence, page level restrictions in Confluence, securing documents in Confluence.

    Where is my data?

    Last but not least, you should consider data residency. Data residency is about the location in which your data is being stored. It is an important aspect when choosing a cloud operator for the regulated domains. GDPR (EU) requires processing and storing of personal data to be within the EU.

    Most Atlassian Cloud plans (see more about Atlassian Cloud plans) do not provide full control of your data residency yet, but it still provides a way to see where your data is stored. In case you need to have control over it, you will have to go with Cloud Enterprise plan. Other than that, you are free to choose between the plans freely and can see the location of your data.

    In case you have any questions about how to best set up your regulated company on Atlassian stack, do not hesitate to contact us. We’d be happy to help you.

    Try us out on

    SoftComply apps are available on Atlassian Marketplace – you can try them all out for free!