Groups & Access Control in Atlassian Cloud
What Are Groups in Atlassian Cloud?
Groups are foundational for permission and product access in Atlassian Cloud:
They allow admins to manage access for multiple users at once by assigning permissions and licensing on a group level.
Users inherit access from group membership.
Created and maintained via admin.atlassian.com → Directory > Groups, within the centralized admin experience.
Organization Admins and Site Admins (for specific sites) can create, edit, and delete groups, provided the groups are not managed by SCIM/Identity Provider.
Creating a Group
Log into admin.atlassian.com.
Navigate to Directory > Groups.
Click Create Group, enter name, members, and optional description.
Editing / Deleting Groups
Editable via Directory > Groups and click on the group name.
Add or remove members, manage description and product access.
Group names can now be changed.
Editing a group's name is a beta feature. It can impact apps in unexpected ways, depending on your group's app settings.
To safely rename a group, please create a new one with the desired name.
Alternatively, you can add or remove members and manage product access via the meatball menu under Actions on the main Groups page.
Default Groups
When an admin grants users app access via admin.atlassian.com, Atlassian automatically places users into default groups like jira-software-users-<sitename>.
Organization Admins can change which group is the default for an app; User Access Admins cannot.
Troubleshooting Group Management (Common Scenarios)
User Access Admin limitations:
Cannot configure default groups for apps - they must ask an Organization Admin.
Cannot grant access to an app if the default group also grants access to apps they don’t manage.
For example: if the default group for Jira also includes Confluence, a Jira-only User Access Admin cannot grant access to that default group.
Cannot remove a user’s access if they belong to multiple groups providing the same app access (unless they also manage all those apps).
Cannot remove a user provisioned by SCIM/IDP from a group - only Organization Admins can manage IDP-synced group membership.
What User Manager & License Optimizer can do
User Manager and License Opitmizer works within Jira to enhance group-based user management does not replace Atlassian’s group features:
Feature / Action | Atlassian Cloud Admin (admin.atlassian.com) | User Manager & License Optimizer |
|---|---|---|
Create/Delete/Rename Groups | yes | not yet |
Add/Remove Users from Groups | yes | yes |
Manage default groups or app access assignments | yes | not yet |
Sync groups from IDP/SCIM | yes | (future visual-only indicator) |
Group membership changes impact licenses and access | yes | yes |
Key points:
Group management (create/edit/delete)-only in admin.atlassian.com, not in the User Management & License Optimizer app.
In User Management & License Optimizer, admins can add or remove users from existing groups, including via bulk operations and automated tasks.
User Management & License Optimizer shows a visual indicator (darker grey) for groups that currently provide app access.
Upcoming feature: You will visually annotate groups that are IDP-managed, alerting admins that manual edits will not apply to those groups.