I understand Atlassian's part here. But Atlassian did this on purpose. They clearly understand the implication and the ownership of accounts, but they deliberately ignored individual users over big corporate accounts. And in my case, they didn't even have the courtesy to notify me in any way. I just stopped working one day leaving all my data unbale to use.
> They clearly understand the implication and the ownership of accounts
Clearly understand what "implication"? From what I can see, all Atlassian knows is that there is an account with two email addresses attached to it. They have no way of knowing which email belongs to the "right" owner of the account. That's something the two parties involved--the two owners of the two emails--need to work out between them, and then give Atlassian a common response.
Last time I used Trello they had a relatively extensive concept of organizations and board ownership, while they might not have an idea about which email is the fictitious canonical owner of the account this still falls on Atlassian.
They created this system that allowed AcmeCorp to change a setting and subsequently lock an ex employee out of non-organisation data. They know which of this accounts content is related to the organisation, they allow using a single identity for both private and corporate use cases at the same time. That's a use case their user facing interface actively encouraged. When I left the last company using Trello that distinction was pretty clear cut when I removed ties to the organisation.
The linked thread reads like deliberate design decisions that turned out to be user hostile in favour of AcmeCorp. You don't have to assign a correct owner. Their data model seems pretty clear cut on which parts of an account are owned by which identity. If they develop a system that allows me to login via a private and a corporate email, have a data model that allows them to determine data ownership for the two, and yet decide to give one of those identities leverage over the other - it's okay to at least blame them partially. There's three parties involved here, none of them did everything correctly but only one had negative impact from this.
> they allow using a single identity for both private and corporate use cases at the same time. That's a use case their user facing interface actively encouraged.
This seems to me to be the root of the problem, because to me this is obviously a bad idea and should be actively discouraged, if not prohibited altogether. If Atlassian, or some predecessor owner of Trello, did actively encourage this, then I agree they bear some culpability.
I guess that's one of those decisions that made sense at the time. iirc the organisation part was an afterthought after people started using it for these use cases, they now seem to have account switching in their app that would cater to the more modern use case.
In theory I actually prefer this data model, one identity (because that's the physical reality) and a sane perspective model on who owns what data this identity has access to. But sadly nobody seems to have time to get that right in a mixed B2C/B2B product.
You actually were lucky that this didn't bite you until now. Not fair to blame your old job for waiting this long to force mfa.
Edit: you can't say what they did deliberately or not. They're doing what makes the most sense for their business. Almost no support team I know would give you access to this account.
Why would they allow an account with multiple email addresses to login with the non SSO one? In your case you aren’t malicious but there could be used maliciously
- add your person email
- get fired and login with that email and now have all the data
I would argue that the "right" course of action is to immediately require human intervention when an SSO email is added to an account (or an existing account with an email address, such as a startup "going big league", becomes SSO managed), so that account ownership issues are resolved at that point in time by the parties with ownership interest, not Atlassian having to do so.
The ownership of data is attached to the email. As soon as i left my workplace, none of the data created under my company account was visible to me. On top of that, they launched SSO support lately. It was not SSO when I connected my accounts years back.
Going on a stretch here, but assuming that the user also use the company email for SSO, means that company (paying client) trade secret were potentially in some of the trello board the user was using.
Considering that it would be an invasion of privacy and confidentiality for Atlassian to access the content of the board to assess which one is corporate and which one is personal, Atlassian to the safer approach to satisfy a paying client.
Consider that as a free user, with no advertising to monetize you, one could guess that Trello used you for advetising (Unless you are a paying user for your personal account, that could change the story).
Of course I am not big fan of the approach, because the user probably linked personnal and work account for convenience, and that trello probably didn't make it easy to make the switch between work and personal.
On the other hand, how do you prove that an email address is a personal one ?
I am the user in this case.
When I linked the accounts almost 6-7 years ago, Trello was not part of Atlassian and there was no SSO in place. At some point, they introduced it, but still, the regular way of login was working. There was no notification from there side that it will stop working abruptly.
The company email address in this case what @comany.com and the personal one was @gmail.com. This is how they handed over all the accounts ending with @company.com to my previous company.
When you did this, was the Trello account used for just your work with that employer? Or for both work and your personal stuff? Or just your personal stuff?
[Edit: I see from your response elsewhere in this discussion that it's the second of the options above. I'll respond further in that subthread.]
I understood you were the user, and that what Atlassian was way too cold and lazy on their part.
but again, to play devil's advocate, Gmail do offer professional account part of the G Suite. Without knowing your work history, it would be difficult to know if the Gmail address is also not a "professional one".
On another hand do you think notification would have solved the issue ? And wouldn't a more malicious employee just delete all the boards if they did not part with their previous company on good term.
Obviously I don't know everything from the story. And my assertions are very far from the truth. I am trying to understand what would motivate such a decision (beside the obvious Atlassian is a heartless money-grabbing company that rot everything it touches)
The ownership of the board is by account. In this case, all the company accounts were anyways invisible to me as my login email was personal gmail account and I only had the permissions to delete board owned under my account.
Sure. But he forgot. That's not a reason to give the company, with which he is no longer affiliated and to whose boards he hasn't had access for years, ownership of his personal account and all its boards.
