ArdSaor

AI Clearance Security and Privacy

AI Clearance supports connectorless governance inside Atlassian Forge and connector-backed provisioning through ArdSaor Core for Okta or Microsoft Entra group membership.

1. Fulfillment Modes

  • Connectorless tools: AI Clearance stores app data in Forge storage and records the access grant, lifecycle, and evidence trail without changing provider accounts.
  • Connector-backed tools: AI Clearance uses backend egress from Forge functions to ArdSaor Core. ArdSaor Core calls the customer’s configured Okta or Microsoft Entra tenant to create or use provider groups and provision, deprovision, or check group membership.

2. Connected Data Flow

  1. A Jira admin creates an Okta or Microsoft Entra connector.
  2. A Jira admin maps an Atlassian account to an external provider identity.
  3. A Jira admin creates or binds one provider entitlement group per connected catalog tool.
  4. The admin assigns that provider group to the real app/resource in Okta or Entra.
  5. AI Clearance approves a request and queues a provisioning job.
  6. Forge resolves the mapped external identity and sends a signed request to ArdSaor Core with the tool entitlement group.
  7. ArdSaor Core calls the configured identity provider and returns a structured result.
  8. AI Clearance stores grant, job, and audit state in Forge storage.

3. Data Processed In Connected Mode

  • Jira site and installation identifiers.
  • Connector type, connector identifier, provider group identifier, provider group display name/slug, and connector status.
  • Request, grant, and provisioning job identifiers and timestamps.
  • Atlassian account ID and admin-managed external identity mapping.
  • Provider result metadata needed to reconcile the job.

AI Clearance does not rely on Jira email as an automatic fallback because Jira email can be unavailable under privacy settings.

4. Secrets and Logging

  • Provider credentials and ArdSaor Core shared secrets are not exposed to browser code.
  • Connector secrets use Forge secret storage or approved backend secret storage.
  • Logs must not include API tokens, bearer tokens, client secrets, or full connector configs.
  • Missing identity mappings fail into a manual follow-up state rather than silently activating provider access.

5. Supported Connectors

  • Okta group membership.
  • Microsoft Entra group membership.

Arbitrary webhook connectors are not supported. AI Clearance does not automatically assign Okta or Entra apps/resources to groups, and it does not automatically provision generic AI-vendor/API accounts unless the customer’s IdP group already controls that entitlement.

6. Admin Controls

  • Admins control connector configuration, identity mappings, and connected tool group setup.
  • Admins can disable a connector to stop new automated provider actions.
  • Connectorless fulfillment remains available for tools that should not use provider automation.

7. Related Policies

See the ArdSaor Privacy Policy, Security Policy, and AI Clearance Operations Guide for the broader product and support context.