Last updated Mar 18, 2024

What is a data security policy?

A data security policy helps you keep your organization’s data secure by letting you govern how users, apps, and people outside and within your organization can interact with content such as Confluence pages and Jira issues.

Data security policies adopt a content-centric approach to regulating the utilization of your data within Atlassian products. How data security policies work

There are three main componenets of a data security policy:

  • policyCoverageLevel
  • rule(s)
  • resources

Policy coverage level

This outlines the range of data that the policy will encompass.

WORKSPACE: A component within a product that provides structure and organization of spaces and projects. This level applies to a product or site, such as a Confluence or Jira instance, where the policy is implemented.

CLASSIFICATION: Organizational classification levels enable users to categorize their content. By integrating classification with a policy, it can be applied across Confluence, Jira, and Jira Service Management. For instance, an organization with a Confluence space requiring page classification.

Leaving the policyCoverageLevel blank indicates that it is unassigned, and it can be changed to any other policyCoverageLevel. However, once policyCoverageLevel is set to WORKSPACE or CLASSIFICATION, it is fixed and cannot be changed.


The rule(s) define the specific rules or constraints that are to be applied to the data under the given policyCoverageLevel.

The rule object might be set to empty, indicating that no specific rule will be enforced. It's important to note that not every rule is applicable across all policyCoverageLevels. A detailed matrix showing which rules are applicable at each level of coverage can be accessed through the DSP Rules/Coverage Matrix

  • export: This is a boolean rule, when activated by setting it to true, blocks the ability to export pages.

  • publicLinks: This is a boolean rule that, if set to true, restricts the sharing of individual pages.

  • anonymousAccess: This is a boolean rule that, when activated by setting it to true, restricts anonymous users from accessing pages or resources.

Show me how to manage data security policy rules


This refers to the collection of data that the rule, based on the specified policyCoverageLevel, is meant to regulate.

WORKSPACE: Resources related to the workspace or product can be included.

CLASSIFICATION: A maximum of 10 data classification levels are permissible.

There are limits to the number of resources that can be added for each policyCoverageLevel.

Explore and learn with our cookbook and create a data security policy

Rate this page: