Breadcrumbs

Permissions model

Frank builds on Atlassian's existing permission model rather than inventing its own. This means you manage access using familiar Atlassian tools, and permissions work consistently across Jira and Confluence.

How permissions work

Permissions operate in layers:

Layer 1: Atlassian permissions
The base layer controlling site and product access. Users need Jira access to see employee records and Confluence access to see linked pages and documents.

Layer 2: Project permissions
Jira project permissions determine who can view and edit the employee project. You can restrict the project to specific groups or roles.

Layer 3: Frank permissions
Frank's sensitive data access group adds restrictions for confidential employee information. This layer controls which fields and documents are visible based on sensitivity settings.

All three layers must grant access for a user to see information. A user needs Jira access AND project access AND (for sensitive data) membership in the access group.

What the Rovo agent respects

When employees ask Frank questions through Rovo, Frank respects all permission layers:

  • Frank only shows information from Confluence pages the employee can access

  • Frank never reveals sensitive employee data about other people

  • Frank doesn't surface documents the employee doesn't have permission to see

This means employees can safely ask questions without risk of seeing information they shouldn't.

Auditing access

Jira audit logs track who views and edits employee records. Confluence audit logs track access to pages in the People space and policy documentation. Use these logs to:

  • Verify that access patterns match expectations

  • Investigate if you suspect unauthorized access

  • Provide evidence for compliance reviews

  • Track changes to sensitive employee data

Best practices

Regular reviews: Periodically check who has access to sensitive data. Remove access when roles change.

Least privilege: Grant only the access people need. It's easier to expand access than restrict it.

Documentation: Keep records of your permission decisions for compliance purposes.

Testing: After configuring permissions, test by viewing employee data as different user types to confirm restrictions work correctly.