Skip to content

User Roles & Permissions

This page explains how User Manager & License Optimizer works with Atlassian Cloud roles, who can use the app, and what each role means across Jira, Confluence, and Jira Service Management (JSM).

How permissions work

The app lives inside Jira and connects with your Organization Admin API key for a single, unified control plane.

  • Who can use the app:

    Organization Admins, Product Admins (aka App admins / Product access admins), and User Access Admins - when allowed in App Access Control.

  • Who cannot use the app: All other roles (e.g., Site Admin, Project Admin, Space Admin, Guest, Customer, Stakeholder, Contributor, Basic, standard User) have no app access.

  • Critical note: Once you grant access to Product Admins or User Access Admins, they get full organization-wide capabilities inside the app (users, groups, bulk changes, tasks). The app does not restrict them to a product- or site-only scope.

  • Jira access required: User Access Admins must also have Jira product access; otherwise they can’t open the app UI. 

Atlassian Cloud admin roles (platform)

Role

What it is

Typical scope in Atlassian

App access?

Organization Admin

Highest admin role; manages users, groups, apps, org-wide security & policies at admin.atlassian.com.

Org-wide

Yes

Site Admin

Administers a specific site (not the whole org).

Per-site

No

User Access Admin

Manages how people get access to Atlassian apps (user/app access lifecycle).

App level (access)

Yes (needs Jira access)

Product Admin (a.k.a. App admin / Product access admin)

Admin for a specific Atlassian product (e.g., Jira, Confluence).

App level

Yes (when allowed)

References: Atlassian’s admin-role definitions and capabilities. 

Why no Site Admin? Atlassian recently clarified platform roles across the centralized user management experience. Site Admin remains site-scoped. The Atlassian management of site admins is not reflected in groups anymore and that's why our app can't manage it properly. In the future, we will provide access to site admins too. 

Product-aligned roles you’ll see in directories & projects

Many entries in “User Roles” come from specific products. These roles do not grant access to this app, but you’ll commonly use them when managing access elsewhere.

Confluence

  • User - Licensed team member working on Confluence Pages

  • Guest - External, single-space collaborators; very limited, free seat type. Good for vendors/partners. 

  • Space Admin - Administers a specific space (permissions, structure). Not visible in the User Management and License Optimizer.

Jira Service Management (JSM)

  • Customer - Portal-only user; no Jira license; submits/reads requests via help center.

  • User (Agent) - Licensed team member working tickets (queues, SLAs, comments).

  • Stakeholder - Visibility/updates on incidents; free on Premium/Enterprise (license rules vary by plan).

Jira Product Discovery (JPD)

  • User (Creator) - Paid role; full project capabilities incl. fields/views, admin.

  • Contributor - Free; create ideas if enabled.

Compass

  • Basic - Non-billable catalog consumers with limited capabilities; unlimited basic users.

  • User - billable user with access to all Compass features available in your plan.

Feature-to-role requirements (inside the app)

App Feature

Minimum role that can use the app

Notes

User Browser

Product Admin / User Access Admin / Org Admin

User Access Admins must also have Jira access

Bulk Operations

Product Admin / User Access Admin / Org Admin

Executes org-wide when run in app.

Automated Tasks

Product Admin / User Access Admin / Org Admin

Org-scoped when configured in app.

Global Settings

Organization Admin

API key management & guardrails.


Security implications (read before granting)

  • Granting Product Admin or User Access Admin app access effectively elevates them to org-wide powers within this app (users, groups, bulk ops, tasks).

  • The app does not re-apply native Atlassian scoping limits (e.g., “product-only” or “site-only” boundaries) once access is granted.

  • Prefer least privilege: only enable these toggles for trusted admins; review access regularly via App Access Control.