> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up an Atlassian connector
> C1 provides identity governance and just-in-time provisioning for Atlassian. Integrate your Atlassian instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
## Capabilities
| Resource | Sync | Provision |
| :--------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | | |
| Workspaces | | |
| Groups | | |
This connector can provision roles in Atlassian workspaces. Depending on your Atlassian implementation, not all roles may be available for all workspaces, and some roles can be only configured if the user meets certain requirements. The Atlassian connector is unable to predict whether a role will be available to a user before the role is requested, but the connector will show an error if a requested role cannot be provisioned.
The Atlassian connector supports [automatic account provisioning](/product/admin/account-provisioning) via SCIM API. New users are created in the directory without passwords. If a managed Atlassian account already exists for the specified email address, the user will be linked to that existing account.
### Connector actions
Connector actions are custom capabilities that extend C1 automations with app-specific operations. You can use connector actions in the [Perform connector action](/product/admin/automations-steps-reference#perform-connector-action) automation step.
| Action name | Additional fields | Description |
| ------------- | ---------------------------- | ------------------------------------------------------ |
| enable\_user | `user_id` (string, required) | Restore an Atlassian user's access to the organization |
| disable\_user | `user_id` (string, required) | Suspend an Atlassian user's access to the organization |
## Gather Atlassian credentials
Each setup method requires you to pass in credentials generated in Atlassian. Gather these credentials before you move on.
**Important**
A user with the **Org admin** role in Atlassian must perform this task.
### Create an organization API access token
Log into [your Atlassian account](https://admin.atlassian.com/).
Navigate to **Organization Settings** > **API keys**.
Click **Create API key**.
Select **API key without scopes** and set a **Name** and **Expire Date**, then click **Create API key**.
Review the key info and click **Create API Key**. The new organization API key is generated.
Carefully copy and save the **API key** and the **organization ID**.
If the organization ID is not shown, you can [look it up](https://confluence.atlassian.com/cloudkb/retrieve-my-atlassian-cloud-organization-s-id-1207189876.html).
### Optional: Gather SCIM credentials for account provisioning
If you plan to use account provisioning to create new users, you'll need SCIM API credentials.
Log into [your Atlassian account](https://admin.atlassian.com/).
Navigate to **Security** > **User Security** > **Identity Providers**.
Configure an identity provider with provisioning enabled. After configuring it, you will
get a window with both:
* The **SCIM token** (`BATON_SCIM_TOKEN`)
* The **SCIM base URL** (`BATON_SCIM_BASE_URL`)
Carefully copy and save both values. You'll need them to configure account provisioning.
### Optional: Request endpoints for provisioning support
If you want to provision workspace roles with the connector, you must raise an Atlassian Support ticket asking the Atlassian team to enable certain necessary endpoints on your tenant.
In the Atlassian Support Portal, log into your admin account for the organization you're connecting and select **Contact**.
Make the following selections when prompted:
* What can we help you with?: Technical issues and bugs
* Which product is this for?: Select a cloud product you use, such as a JIRA instance
Click **Raise a support request**, and add your email to the "Include admin or billing/technical/end-customer contact, or additional participants on this ticket" field.
In the **Summarize your issue** box, enter:
I need access to three Atlassian Administration Cloud API endpoints. The documentation states that access should be requested from the support team.
From the **What is the impact to your business?** drop-down, select **Level 3**.
In the Give us more details section, enter the following, replacing "\" with your Organization ID:
```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}}
I need access to the following endpoints of the Atlassian Administration Cloud API:
* Grant User Access: https://developer.atlassian.com/cloud/admin/organization/rest/api-group-directory/\#api-v1-orgs-orgid-users-userid-roles-assign-post
* Revoke User Access: https://developer.atlassian.com/cloud/admin/organization/rest/api-group-directory/\#api-v1-orgs-orgid-users-userid-roles-revoke-post
* Invite User to Org: https://developer.atlassian.com/cloud/admin/organization/rest/api-group-directory/\#api-v1-orgs-orgid-users-invite-post
I'm working with an API client and I need to be able to use these endpoints on my Atlassian organization.
My organization ID is:
Thanks in advance for your help!
```
Submit the request.
**Done.** Next, move on to the connector configuration instructions.
## Configure the Atlassian connector
**To complete this task, you'll need:**
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of Atlassian credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Atlassian** and click **Add**.
Choose how to set up the new Atlassian connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Paste the organization API access token into the **Access token** field.
Paste the organization ID into into the **Organization ID** field.
**Optional.** If using account provisioning, paste the SCIM token and SCIM base URL into the relevant fields.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Atlassian connector is now pulling access data into C1.
**Follow these instructions to use the Atlassian connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
* [Official download center](https://dist.conductorone.com/ConductorOne/baton-atlassian): For stable binaries (Windows/Linux/macOS) and container images.
* [GitHub repository](https://github.com/conductorone/baton-atlassian): Access the source code, report issues, or contribute to the project.
### Step 1: Configure the Atlassian connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Atlassian connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Atlassian connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-atlassian-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-atlassian-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Atlassian credentials
BATON_API_TOKEN:
BATON_ORG:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
# Optional: include for account provisioning (creating new users)
BATON_SCIM_TOKEN:
BATON_SCIM_BASE_URL:
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-atlassian.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-atlassian
labels:
app: baton-atlassian
spec:
selector:
matchLabels:
app: baton-atlassian
template:
metadata:
labels:
app: baton-atlassian
baton: true
baton-app: atlassian
spec:
containers:
- name: baton-atlassian
image: ghcr.io/conductorone/baton-atlassian:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-atlassian
envFrom:
- secretRef:
name: baton-atlassian-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Atlassian connector to. Atlassian data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Atlassian connector is now pulling access data into C1.