Quick Start

The following is intended to be a quick start for those familiar with data retention tools and are looking to quickly deploy Content Retention Manager for Jira.

Warning

We recommend trying our app out first on a development, test, or staging tenant first to familiarize yourself with the features and capabilities. This will help make sure the app conforms to your policies and expectations.

In this guide we'll do the following

1. Install the app
2. Set your policy
3. Audit your content
4. Grant extensions
5. Deploy automated retention enforcement

Prerequisites

1. A defined company policy on data retention or information governance. We'll want to use this to define our policy within Content Retention Manager for Jira.
2. An active Jira Cloud or Jira Service Management site.
3. A user account with Jira Admin (Site-Admin) privileges.

Installation

1. Install Content Retention Manager for Jira on the Atlassian Marketplace on your desired Jira instance.

2. You can find Content Retention Manager for Jira by clicking the top-level menu Apps -> Manage your apps, then under Apps section on the left navigation pane.

Setting up your Retention Policies

Leave automation off for now

It is advisable to audit your content after setting the retention policies. Enabling automation at this stage may result in the deletion and potential irreversible purging of expired content from your space. Please keep in mind that the primary objective of this application is to assist with data compliance.

1. Click the Policies tab. Here you will set your team's defined retention policy in days and designate and granular entity-specific retention policies.

   Feature	Definition
   Default Retention	Where you select your site wide retention policy. This will be your global default across all projects.
   Retention Rules	Where you can set custom retention policies for specific entities, such as projects or users.
   Policies	Where you create your custom content retention policies. The days you set will help the audit tool flag all content that is nearing the end of the retention period or has expired past the retention policy. When automation is enabled, Content Retention Manager will purge content from Jira according to these policies.

2. Create a custom policy in Policies if you don't see a preset policy that matches your desired retention schedule. Refer to the Adding a Policy step below. Each policy has a defined retention period and a warning period. The warning period happens at the set number of days before expiration to notify users and admins of the upcoming content removal. This will help your team keep an eye on content expiring before they expire and request content to be excepted against the policy. Extensions can be granted manually on the Content Audit tab.

3. Be sure to click Save to apply your changes to the Policies settings. The changes will only take effect after they are saved.

Adding a Policy

1. Click the Add Policy button in the Policies section to create a new policy.

2. In the Add Policy dialog, start by entering a unique identifier in the Code field to distinguish the policy being created. Next, provide a clear and descriptive name in the Name field. In the Description field, outline the purpose and scope of the policy to ensure its intent is easily understood.

3. In the Trigger dropdown, select when the retention period should begin, such as when the content was last modified or created. Specify the duration for which the content should be retained in the Retention (days) field.

4. Additionally, in the Warning (days) field, enter the number of days before the retention period ends to mark the content as ending retention status as a warning.

5. Finally, select the appropriate Automation setting, choosing between applying the global automation settings (Default) or disabling automation for this policy (Disabled).

6. Once all the fields are filled out, click Apply to add the policy.

Adding a Rule

1. Click the Add Rule button in the Retention Rules section to create a new rule.

2. In the Add Rule dialog, first select the entity type for which you want to create the rule. For example, if you select User as entity type, you can then search for the user by their names and select a user for the rule.

3. In the Policy Definition dropdown, specify the retention policy for the selected user. This policy will override the default retention policy for contents created or last-modified by the user.

4. Optionally, you can select a time frame to limit what contents the rule applies to. Toggle the Apply to a time frame switch and specify the start and end dates.

5. Click Apply to add the user rule.

You can also select Project entity type and add a rule for a specific project, as shown below.

If you have defined Classification Levels (refer to Setting up your Classification Levels below), you can also select Classification level entity type and add a rule for a specific classification, as shown below.

Tip

If content matches multiple Rules, the following override order will apply:

• User rules take precedence, then
• Classification Level rules take precedence, then
• Space rules take precedence
• If no rules match, global Default Retention will apply

In addition, when content matches multiple User rules, the rule for the user who last modified the content takes priority over the rule for the user who created it.

By following these steps, you can customize your retention policies to fit the specific needs of your team and organization. Remember, auditing your content first ensures that you can review and adjust these policies before any automated actions take place.

Setting up your Classification Levels

Classification provides another dimension to categorize your content in Jira. As an admin, you can define multiple classification levels, assign a global default classification level, and assign a default classification level to each project. As a user, you can specify a classification level to an issue to override the project and the global default classifications, as long as you have the edit permission to the issue.

1. Select the Classification tab. This is where you will set a default classification level to apply to any content that is not specifically classified differently, and where you will set all Classification level definitions and the order of their sensitivity.

   Feature	Definition
   Default Classification	Where you select your site-wide classification level. This will be your global default across all projects.
   Classification Rules	Where you can set a default classification level for specific entities, such as projects.
   Classification Level	Where you create your custom classification levels. The order of the Rank indicates a sensitivity level with smaller number indicating more sensitive information. Classification levels will be presented in rank order to users when selecting a new level on a piece of content.

2. Create a new Classification Level if you don't see a preset level that matches your organization’s needs. Refer to the Adding a Classification Level section below. Each Classification Level has a name, a description, and a color for display along with a rank to help communicate the sensitivity of the level to a user.

3. Be sure to click Save to apply your changes to the Classification settings. The changes will only take effect after they are saved.

Adding a Classification Level

1. Click the Add Classification Level button in the Classification section to create a new classification level.

2. In the Add Classification Level dialog, start by entering a unique and descriptive name for the new level. In the Definition field, outline the purpose and scope of the classification to ensure its intent is easily understood.

3. Choose a Color to display alongside the classification to help convey its sensitivity when it is applied to content.

4. Finally, choose a Rank for the classification level to help convey its sensitivity to your users. If you choose a Rank that is already in use by another classification level, they will then be displayed in order seen in the Classification tab. You can choose unique ranks for each level.

Adding a Classification Rule

1. Click the Add Rule button in the Classification Rules section to create a new rule.

2. In the Add Rule dialog, first select the entity type for which you want to create the rule. For example, if you select Project as entity type, you can then search for the projects by their names and select a project for the rule.

3. In the Classification Level dropdown, specify the classification level for the selected project. This policy will override the default classification for contents in the selected project.

4. Click Apply to add the project rule.

By following these steps, you can customize your classification to fit the specific needs of your team and organization.

Classification Level Visibility and Management

When viewing an issue, a Jira user can bring up the Classification panel by clicking the Apps button and select Classification. The Classification panel provides quick and easy access to classification details.

Users with Edit permission of the issue can update the Classification Level by:

• Selecting a new level from the dropdown menu.
• Using the search field to quickly filter and locate the desired Classification Level by typing part or all of its name.
• Once a new Classification Level is selected, the updated level is reflected in the panel.

Tip

If Use Default is selected, the issue-specific classification level override is removed and the classification rules and global default classification will determine the effective classification level for the issue.

Audit your content

Click on Content Audit. Here you will find the dashboard that allows you to comb through all content by status against the defined retention policy. You can use Filters to sort through content that is in the following statuses:

Status	Definition	Document Status
Retained	Content is in an active state and available. This means it hasn't expired per your policy or any extensions.	Accessible & Discoverable
Extended	Content in which an admin has granted a specific retention policy that can either be shorter or longer than the company's global retention period.	Accessible & Discoverable
Evergreen	Content in which an admin has extended the retention policy indefinitely. This content will never expire or be automatically removed.	Accessible & Discoverable
Ending	Content is nearing end of your retention period and you should determine if it needs to be granted an extension or if it's ok to be removed.	Accessible & Discoverable
Ended	Content has expired against your defined retention policy. When a retention period of content ends, the content is then Purged (irrecoverable) after a defined period of time in your Policies.	Purged non-Discoverable

Setting extensions

To extend the retention period for individual content, select one or more items and click Add Extension. You can also bulk edit multiple pieces of content to save time. There are two types of extensions:

• Defined Extensions, which allows you to set an explicit retention date by content. This sets a specific date in the future you would like this content to conform to.

• Indefinite “Evergreen” Extensions, which allows you to mark content such that it never expires against a retention policy.

Information

Extensions are applied to individual content and take precedence over all policy settings, including retention rules.

Remove Expired Content

Warning

Only after you have audited your content and granted extensions to your retention policies, should you begin removal of any content that has expired against your company's defined retention period.

On the Automation tab you can enable automated purging of content. This allows the app to routinely remove content from your instance based on it's retention status. As content expires against the retention policy, it is purged based on your settings. Automated purge allows the app to fully remove content from your system after a period of time. At this point the content is irrecoverable to anyone and is no longer considered “discoverable.”

Setting up Automated Content Removal

Leave automation off until you have performed a manual audit of all content you wish to retain and purge.

Once you enable automation any expired content will be purged as defined by the policies you set.

1. Click the Automation tab. This is where you can enable automation.

2. You can enable the toggle to automatically purge content, if desired.

3. Set the number of days after the retention period you want the content purged (no longer discoverable).

4. Click Save. At this point, automation will start purging any content based on your policies and the lifecycle of the content with Atlassian Jira.

Warning

We recommend you have a few days between expire and purge as a backstop should content be removed that should have been retained but not flagged ahead of time.

Final Steps and Considerations

Remember, ongoing retention management is critical to conform to the array of laws and regulations, how you plan on enforcing is up to your team's operational plan. With Content Retention Manager for Atlassian Jira to can decide how much automation or manual process you would like. We recommend starting with manual auditing and removal for a period of time as you get familiar with the product. This will also make sure you don't accidentally remove something important. Remember, the goal is to keep what you need and remove what you don't.

Content Status

Atlassian has multiple status levels to understand on how content exists. Discoverability for investigations and compliance is considered any time anyone (including an admin) can access or recover content.

Document Status	Visibility	Discoverable
Live	Anyone Can View (limited to the content's visibility settings)
Archived	Admins in Jira can archive projects and issues in Jira Premium
Purged	No longer visible nor recoverable. Any trace of the content is removed.

Discoverability and Liability is critical to understand

Archiving and Deleting is not enough, so long as someone can recover a project or issue in Jira, it's considered discoverable legal actions and privacy regulations. It's important that you actively maintain a policy that factors in what you want to be discoverable according to your Legal, CISO, and HR team requirements.

Don't forget the Audit Log

The Audit log is a permanent record for you to provide for any investigation to know who and when may have set or updated a policy, defined an extension, deleted, or purged content. If the issue or project is deleted or purged by automation it'll show up as such. The log only identifies content on a limited ID, it will not log the content itself.