Atlassian's Jira ACP-520 Certification Sample Questions

When you see choices about key lifetime or restrictions focus on the management scope which is usually the project or resource and not the individual user and look for statements about explicit expirations like eleven months as clues to the correct answer.

The correct options are The organization administrator can deactivate Samir’s account, Samir can gain access to products outside of his organization, and Leila can change her account details and set her own password policy.

The organization administrator can deactivate Samir’s account is correct because Samir is a managed account and managed accounts are under the control of the organization’s administrators who can suspend or deactivate access as part of account lifecycle management.

Samir can gain access to products outside of his organization is correct because managed identities can be granted roles and permissions on resources or products that belong to other projects or organizations when explicit access is given.

Leila can change her account details and set her own password policy is correct because an unmanaged account is controlled by the individual user and is not governed by the organization’s identity policies so the user manages profile settings and password choices.

The organization administrator can delete both accounts is incorrect because administrators can remove or suspend accounts that belong to their managed domain but they cannot delete personal unmanaged accounts that live outside the organization’s control.

The organization administrator can modify profile fields for both accounts is incorrect because administrators can edit profile fields for managed accounts but they do not have authority to change profile data for unmanaged accounts that are owned and controlled by individual users.

He has an active sandbox environment attached to the live production instance is the correct option.

He has an active sandbox environment attached to the live production instance would not by itself prevent changing the product subdomain because sandbox environments are typically isolated test copies and they do not lock the production domain settings. You can usually update production configuration even when a sandbox exists, although you may need to update or reattach the sandbox afterward so it continues to match production.

He is not an organization administrator is incorrect because lacking organization level administrative rights commonly prevents changing account wide settings such as product URLs or domain mappings. Administrative permission is often required to make those kinds of configuration updates.

He has already updated the product subdomain more than four times is incorrect because many platforms enforce a limit on how often a subdomain can be changed and hitting that limit would block further updates. Exceeding a change quota is a typical reason an update would be prevented.

He does not have any paid products listed on his account is incorrect because some services restrict custom domain or product subdomain changes to accounts with active paid listings or subscriptions. Not having paid products can therefore stop a subdomain update on platforms that tie domain features to billing status.

The correct options are Attachments from issues and comments in the sandbox can be viewed and downloaded, The sandbox preserves archived and deleted projects so they are visible in the test copy, and Customers who interact with the production project can also access the linked sandbox.

Attachments from issues and comments in the sandbox can be viewed and downloaded is correct because site copies include issue and comment attachments so testers can inspect and download the same files that exist in production. This lets teams validate workflows and integrations that rely on attached files.

The sandbox preserves archived and deleted projects so they are visible in the test copy is correct because the site copy process includes archived and deleted project data so the sandbox reflects the production project state for testing and auditing purposes.

Customers who interact with the production project can also access the linked sandbox is correct because customer request data and the customer accounts linked to the project are copied into the sandbox so those customer interactions remain available for testing of request flows.

Users from the production site are granted access to the sandbox automatically is incorrect because user access is not automatically granted just by creating a sandbox. Administrators must configure access or invite users to the sandbox instance.

The sandbox will have the same URL as the production site is incorrect because the sandbox is a separate environment and it will not share the production site URL for security and routing reasons.

Group names and memberships are identical so members retain their production group memberships in the sandbox is incorrect because group memberships and access controls are not guaranteed to be preserved exactly and administrators often need to reconcile or reconfigure groups in the sandbox.

The correct answer is Delete the user’s account.

When an organization verifies a user’s email domain the account becomes tied to that verified domain and the domain owner or identity provider is authoritative for account deletion. For that reason Delete the user’s account cannot be performed by the verifying organization even though they can manage access and roles.

Suspend the user’s account is incorrect because suspension is an access control action that blocks sign in while preserving user data and it can still be performed by admins who manage the account within the organization.

Grant product administrator access is incorrect because assigning product or administrator roles is a permissions and IAM action and it remains available to admins for users associated with the verified domain.

Deactivate the user’s account is incorrect because deactivation or disabling sign in is a reversible access control measure and it does not require the same ownership rights as permanently deleting the underlying account.

An organization administrator can remotely terminate Marco’s active sessions across Atlassian products is the correct statement.

This is correct because Marco has a managed account that belongs to the organization and organization administrators have the ability to remotely end sessions and revoke access for managed accounts across Atlassian Cloud products. Terminating active sessions is an organization level control and it applies to managed accounts so an admin can force Marco to sign out everywhere.

Only site administrators can suspend Priya and organization administrators cannot suspend unmanaged accounts is incorrect because the statement is too absolute. Organization administrators can suspend or remove access for accounts that are managed by the organization, but unmanaged accounts are not fully controlled by the organization so the blanket restriction in the option is misleading.

Marco can delete his own managed account without administrator intervention is incorrect because managed accounts are controlled by the organization and deletions or removals of managed accounts are typically performed by organization administrators. Individual users cannot fully delete a managed account without admin involvement.

An organization administrator can change Priya’s account details and password policy is incorrect because Priya has an unmanaged account and organization administrators do not have the same ability to change personal account details or apply password policies to unmanaged accounts. Those controls apply to accounts managed by the organization.

The correct options are Two Cloud instances linked to one Data Center instance and One Cloud instance linked to one Data Center instance.

A single application tunnel creates one logical path between the cloud environment and a single data center endpoint. Because the tunnel terminates at one remote endpoint multiple cloud instances or virtual machines can use that same tunnel to reach the data center. That behavior makes Two Cloud instances linked to one Data Center instance valid and it also allows the simple case of One Cloud instance linked to one Data Center instance.

Two Cloud instances linked to two Data Center instances is incorrect because a single tunnel cannot terminate at two separate data center endpoints. A single tunnel represents one remote termination and cannot directly connect two distinct on prem sites at the same time.

One Cloud instance connected to two Data Center instances is incorrect for the same reason. A single tunnel provides a path to a single remote endpoint so it cannot simultaneously reach two different data centers without creating additional tunnels or using other network constructs.

The correct options are Set the “User invites” configuration to “Require admin approval” and Change the product role assigned to the approved domain to “None”.

Set the “User invites” configuration to “Require admin approval” is correct because requiring admin approval stops new invite requests and accidental self joining from being accepted automatically, and this gives administrators control over who consumes paid seats.

Change the product role assigned to the approved domain to “None” is correct because approved domains can automatically assign product roles to accounts that match the domain, and setting the role to None prevents those accounts from receiving paid product access by default.

Disable anonymous access to the site is incorrect because anonymous access controls whether unauthenticated visitors can view content, and it does not prevent authenticated accounts from being created or assigned paid product seats.

Remove the default group that is assigned the Guest product role is incorrect because changing or removing a guest group does not stop users from being added as full licensed users, and it may not affect how approved domains or invite workflows assign product roles.

Turn off the “Approved domains” feature for the site is incorrect because disabling the feature is a blunt action that may not be necessary and it can remove domain allowlisting controls, and it does not address invite approval or targeted product role assignment which are the safer ways to prevent automatic assignment of paid seats.

The correct option is Company-managed Kanban project.

Company-managed Kanban project is correct because company-managed projects provide the configuration and permission controls needed to create boards that surface issues from multiple projects at once. Kanban is designed for continuous flow and does not require fixed sprint cycles, so it matches a team that plans to ship fixes on an ongoing basis.

Company-managed Kanban project also supports cross-project boards and custom filters so the customer support engineering group can view and manage work from several projects in a single board with centralized settings.

Team-managed Scrum project is incorrect because team-managed projects are scoped to a single team and the Scrum template uses timeboxed sprints, which does not fit the requirement to ship fixes continuously across multiple projects.

Company-managed Scrum project is incorrect because although company-managed projects can be configured for broader visibility the Scrum template enforces sprint planning and timeboxed iterations, and that does not match a continuous delivery workflow.

Team-managed Kanban project is incorrect because team-managed Kanban is limited to a single project and simpler settings, so it will not provide the cross-project visibility and centralized controls that the customer support engineering group needs.

The correct option is Automatically create tickets or append comments from incoming email.

Automatically create tickets or append comments from incoming email is not an advantage of deploying DMARC because DMARC only specifies authentication policies and reporting for email. It does not perform mailbox level processing or integrate with ticketing systems to create or modify tickets. Ticket creation and comment appending are functions of mail gateways, helpdesk platforms, or custom automation and not part of the DMARC protocol.

Reduce the risk of phishing and domain spoofing is incorrect because reducing phishing and preventing domain spoofing are primary goals of DMARC. Domains publish policies that tell receivers how to treat unauthenticated mail and DMARC builds on SPF and DKIM to provide domain alignment for that protection.

Improve the inbox delivery rate for legitimate email is incorrect because while DMARC does not guarantee placement it helps improve deliverability by increasing receiver trust in authenticated and aligned messages. Proper SPF and DKIM setup together with DMARC typically leads to better inbox performance for legitimate mail.

Provide reporting and visibility into authentication failures is incorrect because DMARC includes reporting mechanisms that send aggregate and optional forensic reports to domain owners. Those reports are a core DMARC feature and give visibility into authentication failures and how receivers handled messages.

The correct options are Create custom notification scheme, Configure incoming mail handler, and Update application title shown to users.

Create custom notification scheme is a Jira product level configuration that controls who receives notifications for issue events. A Jira administrator has the product permissions to create and assign notification schemes in the Jira administration interface while organization administrators manage organization wide concerns like domains and billing and they do not have this product configuration scope.

Configure incoming mail handler is configured inside Jira to control how incoming email is processed into issues or comments. This setting requires Jira administration access because it touches the product mail servers and mail handler settings that affect issue creation and updates.

Update application title shown to users is an appearance and product setting that changes the name users see in the Jira interface. Changing the application title is done in Jira administration and therefore requires Jira administrator privileges rather than organization administration rights.

Verify company domain ownership is an organization level task used to prove and manage ownership of domains for single sign on and user provisioning. That function is performed by an organization administrator and not by a Jira administrator.

The correct answer is: Confirm the site is on a Premium or Enterprise subscription.

This is correct because the Stakeholder role in Jira Service Management is a plan specific feature and it is provided on the Premium and Enterprise tiers. If the site is not on one of those subscription levels you cannot add users as stakeholders because the capability is gated by the product plan rather than by organization level settings.

Verify the organization has at least one verified domain is incorrect because domain verification is an organization management step that supports centralized controls and some admin features but it is not a prerequisite for assigning the Stakeholder role in JSM.

Enable Atlassian Access for the organization is incorrect because Atlassian Access is an optional security and SSO product and it is not required to add stakeholders. Access can enforce SSO and additional policies but it does not control whether the Stakeholder role is available.

Require stakeholders to use email addresses on the company domain is incorrect because there is no mandatory requirement that stakeholders use a company domain email. Stakeholders can be external and the restriction to company domain addresses is not a precondition for assigning the role.

The reciprocal application link on the on-premise instance was created by a different administrator so local authentication is enabled instead of OAuth.

The reciprocal application link on the on-premise instance was created by a different administrator so local authentication is enabled instead of OAuth is correct because application links must establish a mutual OAuth trust between both sides and the identity of the administrator who creates the reciprocal link determines the authentication mode. When the reciprocal link is created by a different administrator the on-premise instance can default to local authentication rather than using the shared OAuth credentials and that mismatch results in a persistent config error on both the cloud product and the on-prem server.

The reciprocal application link on the on-premise instance was created by a different administrator so local authentication is enabled instead of OAuth is typically resolved by recreating or editing the reciprocal link so that OAuth is explicitly used and so that the same credentials or administrative context are applied on both sides. Once the OAuth handshake is correctly established the config error status should clear.

The tunnel client reached the tunnel server but failed to validate the security key is not the most likely cause because a security key validation failure usually produces a clear authentication or key mismatch error at the transport layer rather than a general application link config error on both the cloud product and the on-premise application.

The tunnel client on the self-hosted node cannot establish a connection to the cloud tunnel server is unlikely because a connectivity failure to the tunnel server generally results in a connection or network error instead of a symmetric config error shown by both the cloud and the on-premise server that points to an authentication or link configuration problem.

The application link is tied to the wrong application tunnel or is missing the required HTTP connector and upstream port is incorrect for this symptom because missing connectors or incorrect tunnel bindings usually produce specific connector or port errors and they do not explain why both sides would show a config error caused by an authentication mode mismatch.

The correct option is Bitbucket.

Bitbucket cannot be linked to an Atlassian organization in the same centralized way as the other listed cloud products because Bitbucket Cloud uses a workspace centric model for repositories and access controls and it is managed at the workspace level rather than being attached to an organization for centralized product linking and membership management.

Statuspage is incorrect because Statuspage supports linking to an Atlassian organization so that teams can manage access and SSO consistently across the organization.

Trello is incorrect because Trello cloud instances can be connected to an Atlassian organization to allow centralized user and access management and to apply organization level policies.

Opsgenie is incorrect because Opsgenie supports being linked to an Atlassian organization which enables centralized user provisioning and single sign on for incident and on call management.

A group must contain at least one member is the assertion that is certainly untrue.

Groups can exist as empty containers to simplify administration or to allow role and permission assignments before users are added. Creating an empty group is a common practice so that access can be prepared or standardized without requiring immediate membership.

Accounts may belong to more than one group simultaneously is incorrect because most identity systems allow a user to be a member of multiple groups at once so that permissions can be composed from different group memberships.

A group can be granted access to multiple products is incorrect because groups are used to manage access across services and a single group can be granted permissions for multiple products or applications.

A group may be associated with several project roles is incorrect because groups can be assigned multiple roles within a project which lets administrators grant layered permissions through role assignments.

The correct answers are A tunnelled application link must be created from the cloud administration console and it uses an existing tunnel to route traffic to the target instance and An administrator can create up to 80 tunnels from the cloud console each pointing to a different self hosted instance.

The first correct option describes the normal configuration flow where you create an application link in the cloud administration console and that link references an existing tunnel so that traffic is routed to the intended self hosted target instance. The console based application link ties the higher level application endpoint to the lower level tunnel resource so traffic follows the established tunnel path to the instance.

The second correct option states the documented administrative quota for creating tunnels from the console and that each tunnel typically points to a distinct self hosted instance. This reflects the quota and resource model where multiple tunnel resources are created and managed independently and where the common limit is up to 80 such tunnels unless a different quota applies to your organization.

A single self hosted instance can accept multiple independent tunnels is incorrect. The application tunnel model assumes a one to one mapping between the application tunnel endpoint and the configured target endpoint in most setups, and the question specifically refers to the supported configuration described in the documentation rather than multiple independent application tunnels terminating on the same instance.

Application tunnels are not available on the free tier is incorrect. Availability of application tunnels is governed by service configuration and quotas rather than a blanket free tier restriction, and you should consult the product documentation and quota pages for exact limits and any billing implications.

The correct answers are Users added to a product count toward billing even if they never accept the invitation or sign in and You cannot switch to a Free tier while your subscription is billed annually.

The first correct statement reflects that billing is based on assigned seats and product membership rather than whether an invited user completes acceptance or signs in. If an account or product has users provisioned the billing system will count those seats for the subscription period even if the individual never activates their account.

The second correct statement reflects how annual subscriptions work. When a subscription is billed annually the seat and tier commitments are locked for the billing term so you cannot simply switch to a Free tier until the annual term ends or until the subscription is changed by the vendor under their billing policies.

Only users who accept invitations count toward billing is incorrect because it implies acceptance is required for billing. The billing model charges for assigned seats and product additions not for whether an invitee has accepted or signed in.

Product admin for Jira Administration is correct.

Product admin for Jira Administration gives the product administration rights needed to modify Jira global permission schemes without granting full system or site level privileges. This role lets Aisha manage product settings and global permissions while keeping permissions limited to what is required.

User access admin for Jira Software is focused on provisioning and managing user access across products and it does not grant the in-product global permission changes inside Jira.

Product admin for Jira Software administers the Jira Software product features but it is distinct from the Jira Administration product role and usually cannot change the global permission schemes that belong to Jira Administration.

User for Jira Software is a regular user role and it does not include administrative capabilities to modify global permissions.

Jira system administrator would be able to change global permissions but it grants far broader system level rights than necessary so it is not the minimal privilege Aisha should request.

The correct option is Board sub filter.

The Board sub filter allows Leah to apply additional JQL that limits what appears on the Kanban board without changing the board’s primary filter. This means the board view can be restricted to component = “Content Marketing” for all users while the main filter remains intact and the Pie Chart report continues to show the full dataset.

Quick filters are wrong because they require users to toggle buttons to apply the filter and they do not persist a global board view for all users.

Issue detail view is wrong because it only displays details for a selected issue in a side panel and it does not filter or change which issues appear on the board.

Board filter is wrong because changing the main filter alters the board’s underlying saved filter and that change will also affect reports and gadgets such as the Pie Chart.

Swimlanes are wrong because they only group or partition issues on the board and they do not remove non matching issues from the board or change the dataset used by reports.

Hide completed issues is wrong because it only hides issues in completed statuses and it does not filter by component or preserve the full dataset used by the Pie Chart.

Jira Align and Halp are correct.

Jira Align requires AtlasCloud support to remove the user account because Jira Align keeps user records in its own system and managed account unlinking must be handled by the product support team rather than through the standard AtlasCloud managed account UI.

Halp also requires AtlasCloud support to remove the user account because Halp’s provisioning and integrations are handled separately and removal of managed accounts is processed through support.

Trello is incorrect because Trello user access can be removed by organization administrators or through normal provisioning flows and does not generally require contacting AtlasCloud support.

Bitbucket is incorrect because Bitbucket Cloud accounts can be managed and deactivated by product or organization admins and via Atlassian Access provisioning without needing support intervention.

Opsgenie is incorrect because Opsgenie supports user management through its admin console or federated provisioning so support is not typically required to remove a managed account.

Atlassian Access is incorrect because Atlassian Access is the identity and access management layer and user removal or unlinking is handled through its controls rather than by opening a support ticket.

The correct options are Signing up for an Enterprise subscription will convert your other product subscriptions to annual billing and Concord Access is bundled for Enterprise users and is not billed separately.

The statement Signing up for an Enterprise subscription will convert your other product subscriptions to annual billing is correct because Enterprise plans typically enforce an annual commitment and enrolling under the enterprise agreement aligns related product subscriptions to the same annual billing cycle.

The statement Concord Access is bundled for Enterprise users and is not billed separately is correct because the enterprise offering includes Concord Access as part of the package and it is not invoiced as a separate line item under the enterprise subscription.

The Enterprise subscription can be billed either monthly or annually is incorrect because the Enterprise plan is subject to annual billing rules and does not provide a monthly billing option under the enterprise terms.

You can change your user tier both upward and downward at any time without waiting for renewal is incorrect because while increases in user tier or seats can often be applied immediately reductions commonly take effect at renewal or require a contractual amendment.