User Roles & Permissions
This page explains how User Manager & License Optimizer works with Atlassian Cloud roles, who can use the app, and what each role means across Jira, Confluence, and Jira Service Management (JSM).
How permissions work
The app lives inside Jira and uses an Organization Api Key to manage your whole organization.
Who can use the app:
By default, only Organization Admins have access. You can grant permissions to Product Admins (also known as App admins or Product access admins) and User Access Admins in the App Access Control section of the Settings tab.
Who cannot use the app: All other roles (e.g., Site Admin, Project Admin, Space Admin, Guest, Customer, Stakeholder, Contributor, Basic, standard User) have no app access. Organization Admins can grant access to Product Admins or User Access Admins in the app settings.
Critical note: Once you grant access to Product Admins or User Access Admins, they get full organization-wide capabilities inside the app (users, groups, bulk changes, tasks). The app does not restrict them to a product- or site-only scope.
Jira access required: User Access Admins must also have Jira product access; otherwise they can't open the app UI. Organization Admins also need Jira access to use the app, as it runs inside Jira.
Atlassian Cloud admin roles (platform)
Role | What it is | Typical scope in Atlassian | Can use User Management app? |
|---|---|---|---|
Organization Admin | Highest admin role; manages users, groups, apps, org-wide security & policies at admin.atlassian.com. | Org-wide | Yes |
Site Admin | Administers a specific site (not the whole org). | Per-site | No |
User Access Admin | Manages how people get access to Atlassian apps (user/app access lifecycle). | App level (access) | Yes (needs Jira access) |
Product Admin (a.k.a. App admin / Product access admin) | Admin for a specific Atlassian product (e.g., Jira, Confluence). | App level | Yes (when allowed) |
References: Atlassian’s admin-role definitions and capabilities.
Why no Site Admin?
Atlassian recently clarified platform roles across the centralized user management experience. Site Admin remains site-scoped. The Atlassian management of site admins is not reflected in groups anymore and that's why our app can't manage it properly. In the future, we will provide access to site admins too.
Product-aligned roles you’ll see in directories & projects
Many entries in “User Roles” come from specific products. These roles do not grant access to this app, but you’ll commonly use them when managing access elsewhere.
Confluence
User - Licensed team member working on Confluence Pages
Guest - External, single-space collaborators; very limited, free seat type. Good for vendors/partners.
Space Admin - Administers a specific space (permissions, structure). Not visible in the User Management and License Optimizer.
Jira Service Management (JSM)
Customer - Portal-only user; no Jira license; submits/reads requests via help center.
User (Agent) - Licensed team member working tickets (queues, SLAs, comments).
Stakeholder - Visibility/updates on incidents; free on Premium/Enterprise (license rules vary by plan).
Jira Product Discovery (JPD)
User (Creator) - Paid role; full project capabilities incl. fields/views, admin.
Contributor - Free; create ideas if enabled.
Compass
Basic - Non-billable catalog consumers with limited capabilities; unlimited basic users.
User - billable user with access to all Compass features available in your plan.
Feature-to-role requirements (inside the app)
App Feature | Minimum role that can use the app | Notes |
|---|---|---|
User Browser | Product Admin / User Access Admin / Org Admin | User Access Admins must also have Jira access. |
Bulk Operations | Product Admin / User Access Admin / Org Admin | Executes org-wide when run in app. |
Automated Tasks | Product Admin / User Access Admin / Org Admin | Org-scoped when configured in app. |
Settings | Organization Admin | API key management & guardrails. |
Security implications (read before granting)
Granting Product Admin or User Access Admin app access effectively elevates them to org-wide powers within this app (users, groups, bulk ops, tasks).
The app does not re-apply native Atlassian scoping limits (e.g., “product-only” or “site-only” boundaries) once access is granted.
Prefer least privilege: only enable these toggles for trusted admins; review access regularly via App Access Control.