Last updated Jul 18, 2024

Prepare your tool for data classification in Atlassian products

Overview

Protecting sensitive information is an important strategy as the need to safeguard such data evolves. A comprehensive Data Loss Prevention (DLP) strategy is crucial for protecting your organization against both intentional and accidental data loss or misuse, which could otherwise pose a serious risk to your business. Atlassian offers you DLP solutions that include data classification, data security policies, and data redaction.

Data classification

Data classification APIs allow users to apply their models of data governance and sensitivity to the data they store in Atlassian cloud.

Data classification is best utilized with our other DLP capabilities and threat detection capabilities - the interconnected set of information security tools.

With data classification, our objectives are:

  • Connecting security/detection tools with data classification APIs
  • Providing admins with the ability to put data classifications into practice in their Atlassian products
  • Enable end-users to classify data

Background

With this capability, customers can organize and categorize their content by classifying it - that is, attaching labels to workspace, pages, issue, etc. to clearly denote the sensitivity of data stored in our products.

With Atlassian Guard, data classifications will form the basis of targeted application for Data Security Policies, such as public sharing controls and page export controls.

Before you begin

We assume that you understand the following:

What’s happening?

In our first release we’re focused on:

  • Protecting data based on classification levels: Create data security policies that can control public sharing or page exports in Confluence based on classification levels.

  • Classifying spaces and pages: Set a default classification level for a Confluence space to classify all new and existing pages in that space or classify pages individually as needed.

  • Tracking data classification activity in the organization audit log: Activities include changes to classification levels on a Confluence page. Classification level is also included in audit log activities for page actions.

Confluence

The first public release of data classification in Confluence will include the following APIs.

Classification level

GET /classification-levels

Returns the list of classification levels available for an org.

  • Permissions required: Permission to access the Confluence site ('Can use' global permission)
  • Connect app scope required: READ
  • OAuth 2.0 scopes required: read:configuration:confluence

Example

1
2
GET /wiki/api/v2/classification-levels

200 OK
{
  "classificationLevels": [
    {
    "id": "<string>",
    "status": "DRAFT",
    "order": 45,
    "name": "<string>",
    "description": "<string>",
    "guideline": "<string>",
    "color": "RED"
    },
    {
    "id": "<string>",
    "status": "APPLIED",
    "order": 80,
    "name": "<string>",
    "description": "<string>",
    "guideline": "<string>",
    "color": "BLUE"
    },
    ...
  ]
}

Space default classification APIs

GET /spaces/{id}/classification-level/default

Returns the default classification level for a single space.

  • Permissions required: Permission to access the Confluence site ('Can use' global permission) and permission to view the space.
  • Connect app scope required: READ
  • OAuth 2.0 scopes required: read:space:confluence

Example

1
2
GET /wiki/api/v2/spaces/{id}/classification-level/default

200 OK
{
  "id": "<string>",
  "status": "DRAFT",
  "order": 45,
  "name": "<string>",
  "description": "<string>",
  "guideline": "<string>",
  "color": "RED"
}

PUT /spaces/{id}/classification-level/default

Update the default classification level for a single space.

  • Permissions required: Permission to access the Confluence site ('Can use' global permission) and 'Admin' permission for the space.
  • Connect app scope required: WRITE
  • OAuth 2.0 scopes required: read:space:confluence , write:space:confluence

Example

1
2
PUT /wiki/api/v2/spaces/{id}/classification-level/default
{
  "id": "ari..."
}

204 OK

DELETE /spaces/{id}/classification-level/default

Deletes the default classification level for a single space.

  • Permissions required: Permission to access the Confluence site ('Can use' global permission) and 'Admin' permission for the space.
  • Connect app scope required: WRITE
  • OAuth 2.0 scopes required: write:space:confluence

Example

1
2
DELETE /wiki/api/v2/spaces/{id}/classification-level/default

204 OK

Page data classification APIs

GET /pages/{id}/classification-level

Returns the classification level for a single page.

  • Permissions required: Permission to access the Confluence site ('Can use' global permission) and permission to view the page. Permission to edit the page is required if trying to view classification level for a draft.
  • Connect app scope required: WRITE
  • OAuth 2.0 scopes required: read:page:confluence, write:page:confluence

Example

1
2
GET /wiki/api/v2/pages/{id}/classification-level?status=[draft | current | archived]

200 OK
{
  "id": "<string>",
  "status": "DRAFT",
  "order": 45,
  "name": "<string>",
  "description": "<string>",
  "guideline": "<string>",
  "color": "RED"
}

PUT /pages/{id}/classification-level

Updates the classification level for a single page.

  • Permissions required: Permission to access the Confluence site ('Can use' global permission) and permission to edit the page.
  • Connect app scope required: WRITE
  • OAuth 2.0 scopes required: write:page:confluence

Example

1
2
PUT /wiki/api/v2/pages/{id}/classification-level
{
  "status": "current | draft"
  "id": "ari:..."
}

204 OK

POST /pages/{id}/classification-level/reset

Resets the classification level for a single page.

  • Permissions required: Permission to access the Confluence site ('Can use' global permission) and permission to view the page.
  • Connect app scope required: WRITE
  • OAuth 2.0 scopes required: write:page:confluence

Example

1
2
POST /wiki/api/v2/pages/{id}/classification-level/reset
{
  "status": "current | draft"
}

204 OK

Blog Post data classification APIs

GET /blogposts/{id}/classification-level

Returns the classification levels for a single blog post.

  • Permissions required: Permission to access the Confluence site ('Can use' global permission) and permission to view the blog post. 'Permission to edit the blog post is required if trying to view classification level for a draft.
  • Connect app scope required: READ
  • OAuth 2.0 scopes required:read:page:confluence, write:page:confluence

Example

1
2
GET /wiki/api/v2/blogposts/{id}/classification-level?status=[draft | current | archived]

200 OK
{
  "id": "<string>",
  "status": "DRAFT",
  "order": 45,
  "name": "<string>",
  "description": "<string>",
  "guideline": "<string>",
  "color": "RED"
}

PUT /blogposts/{id}/classification-level

Updates the classification levels for a single blog post.

  • Permissions required: Permission to access the Confluence site ('Can use' global permission) and permission to edit the blog post.
  • Connect app scope required: WRITE
  • OAuth 2.0 scopes required: write:page:confluence

Example

1
2
PUT /wiki/api/v2/pages/{id}/classification-level
{
  "status": "current | draft"
  "id": "ari:..."
}

204 OK

POST /blogposts/{id}/classification-level/reset

Resets the classification level for a single page.

  • Permissions required: Permission to access the Confluence site ('Can use' global permission) and permission to view the blog post.
  • Connect app scope required: WRITE
  • OAuth 2.0 scopes required: write:page:confluence

Example

1
2
POST /wiki/api/v2/pages/{id}/classification-level/reset
{
  "status": "current | draft"
}

204 OK

Jira

GET /rest/api/3/classification-levels

Returns all classification levels in a org.

  • Permissions required: None

  • Connect app scope required: READ

  • OAuth 2.0 scopes required:

    Classic RECOMMENDED:read:jira-work Granular: read:project:jira

Example

1
2
200
Response
{
  "classifications": [
    {
      "id": "ari:cloud:platform::classification-tag/5bfa70f7-4af1-44f5-9e12-1ce185f15a38",
      "status": "published",
      "name": "Restricted",
      "rank": 1,
      "description": "Data we hold that would be very damaging and would cause loss of trust with customers and present legal risk to Atlassian and/or customers if mishandled",
      "guideline": "Access to data must be restricted to only individuals who need access in order to perform their job duties.",
      "color": "RED"
    },
    {
      "id": "ari:cloud:platform::classification-tag/bd58e74c-c31b-41a7-ba69-9673ebd9dae9",
      "status": "archived",
      "name": "Protected",
      "rank": 2,
      "description": "Data we hold that could cause loss of trust with customers or present legal risk to Atlassian if mishandled",
      "guideline": "Access to systems or APIs mapping data to other identifiers must be carefully controlled.",
      "color": "ORANGE"
    },
    {
      "id": "ari:cloud:platform::classification-tag/a82d653e-1035-4aa2-b9de-4265511fd487",
      "status": "published",
      "name": "Confidential",
      "rank": 3,
      "description": "Data we hold that would likely be damaging and could cause loss of trust with our customers if mishandled",
      "guideline": "Data should be encrypted at rest and in transit.",
      "color": "BLUE"
    },
    {
      "id": "ari:cloud:platform::classification-tag/a82d653e-1035-4aa2-b9de-4265511fd487",
      "status": "published",
      "name": "system-tag"
    }
  ]
}

GET /rest/api/3/project/{projectIdOrKey}/classification-level/default

Get the the default classification level for a project.

  • Permissions required:
    • Browse Projects project permission for the project.
    • Administer projects project permission for the project.
    • Administer jira global permission.
  • Connect app scope required: READ
  • OAuth 2.0 scopes required: Classic RECOMMENDED:read:jira-work Granular: read:project:jira

Example

1
2
200 OK
{
  "id": "<string>",
  "status": "DRAFT",
  "order": 45,
  "name": "<string>",
  "description": "<string>",
  "guideline": "<string>",
  "color": "RED"
}

PUT /rest/api/3/project/{projectIdOrKey}/classification-level/default

Updates the the default classification level for a project.

  • Permissions required:

    • Administer projects project permission for the project.
    • Administer jira global permission.

  • Connect app scope required: ADMIN

  • OAuth 2.0 scopes required:

    Classic RECOMMENDED:manage-jira-project Granular: write:project:jira

DEL /rest/api/3/project/{projectIdOrKey}/classification-level/default

Deletes the the default classification level for a project.

  • Permissions required:

    • Administer projects project permission for the project.
    • Administer jira global permission.

  • Connect app scope required: ADMIN

  • OAuth 2.0 scopes required:

    Classic RECOMMENDED:manage-jira-project Granular: write:project:jira

Understand the process of creating classification levels and classifying Confluence spaces and Jira projects

Rate this page: