Securing Atlassian Rovo: Fine-Grained Policy for AI Agents with PortcullisMCP

A PoC of agent-specific policy in action

Giving AI agents access to your internal Jira and/or Confluence data can be incredibly powerful. But for your security team, it’s a nightmare. Without the appropriate infrastructure, they have little control and minimal oversight over what those agents can do.

The open-source MCP Gateway PortcullisMCP has successfully added a new integration: Atlassian Rovo. Rovo is the Atlassian AI assistant, and it lets you use a chat interface to ask questions about Jira issues, or Confluence web pages, create issues, pages, Bitbucket commits, etc. Rovo also supports an MCP which lets you connect your desktop agents and tools, so they can interact with the Atlassian system directly.

But what if you want to control how those agents are able to interact with your Atlassian data? By default, Atlassian has very coarse controls over what agents can and can’t do. Which isn’t really a criticism of Atlassian, powerful authorization policy requires a fresh way to think about how you implement it.

With PortcullisMCP, you gain new, fine-grained controls over agent access, controls that are sure to make your security officers and auditors happier:

• Every MCP tool request is gated by policy rules. It will not be executed unless authorized by the organization.

• Every MCP tool request is logged, and includes the identity of the user who is operating the agent. This includes access to third-party MCPs.

• Tool access policy is fine-grained. For example, with Portcullis and Atlassian:

  • You can control which spaces are accessible to agents

  • You can control which Rovo tools are accessible to agents

    • And give agents different access to tools based on the credentials of the user

  • You can mix and match: agents can read and write to space ABC, but only read from space EFG

  • Human-in-the-Loop: agents can only write to space XYZ if the action is, say, externally approved by a human (via Portcullis), and the human has authenticated with MFA

  • Agents can create issues in space FGH, but only if the title of the issue includes the words “Agent-Created”

  • Agents can create issues, but certain patterns (social security numbers or access tokens) can’t be included in the title or body of the issue

  • (Note that these are just examples, you have the full power of your preferred policy engine available to you)

Example

Portcullis is engine-agnostic, and is designed to work with most popular policy languages (Cedar, Rego, etc). We’ve created a simple JSON-based policy model as a starting point, but you can express more sophisticated policy as you prefer.

 "getJiraIssue" : {
               "allow" : {
                   "groups" : ["authenticated-users"]
                },
                "deny" : {
                   "arg_restrictions" : [
                       { "type":"prefix","key_path":"resource.arguments.issueIdOrKey", "data":"HO"}
                   ]
                },
                "escalate" : {
                    "arg_restrictions" : [
                       { "type":"prefix","key_path":"resource.arguments.issueIdOrKey", "data":"HITL"}
                    ]
                }
         },

In this example, access to most spaces is allowed by default. Access to the HO (Human Only) space is forbidden, and access to the HITL (Human in the Loop) space requires out-of-band, JWT-based approval.

Programmatic Policy

The JSON-based policy model is the starting point. We designed Portcullis so the JSON option is accessible, sophisticated handwritten policy is available, and you can even use the JSON option to start and fall back to more complex policy as required.

Conclusions

You may have spent some time thinking about how you’ll govern AI Agent access to your systems and third-party connections, and it might seem overwhelming. If you’ve been looking for a practical path from ‘we should have a policy’ to ‘we have enforced policy’, that’s exactly what Portcullis is built for.

If you’d like to know more, please feel free to reach out: johnbr@paclabs.io . Or drop a comment below!

Comments

[Mark Rogge]

Now *this* is where AI security finally gets real. Atlassian Rovo’s move toward fine-grained authorization exposes the exact problem most enterprises are still ignoring: authenticated AI agents are still massively overprivileged by default. OAuth proves identity — it does not govern what an agent should be allowed to do moment-to-moment across Jira, Confluence, MCP servers, plugins, and downstream actions.

This is the Authorization Gap EnforceAuth was built to solve. Runtime policy enforcement, least-privilege decisions, delegated authorization, and continuous action governance for AI agents are rapidly becoming mandatory infrastructure for every CISO deploying agentic AI. “Polite AI ≠ Secure AI.” — Mark O. Rogge, Founder & CEO of EnforceAuth