Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,460,383
Community Members
 
Community Events
176
Community Groups

Is it possible to restrict non-admin users from connecting marketplace apps?

Hey Everyone!,

Just curious if anyone might be able to confirm: is it currently not possible to prevent team members from connecting to apps in the marketplace? We recently had a team member connect to a free app (largely harmless) but doing so authenticated for that app to have a lot of read-scope over a lot of data. This was able to be connected and installed through the marketplace without an admins approval. Can this be prevented?

This happened in our Jira (cloud) instance.

It looks like this confluence article (https://confluence.atlassian.com/upm/configuring-marketplace-connectivity-306350947.html) hints that maybe by disabling the UPM (turning the UPM to offline mode) would disable the marketplace.

Can this also be done for Jira or only Confluence?
Does disabling the UPM disable already installed apps or only updates and new installations?

Any insight would be appreciated! Thankfully we can just disable this app and alls likely fine. But we'd like to control who has the ability to install apps going forward...

1 answer

0 votes
Jack Brickey Community Leader Jul 14, 2021

Users in the Basic role cannot add apps. Users with Trusted or Administration roles can. This is managed under User Management admin.

Hey Jack!,
Thanks so much for responding.

This user is in the basic role. :(

I reviewed our audit log as well and there's been no updates to their permissions since the license activated -- like they were never put in a group that had product administrative access or anything.

Is there some other permission setting that might override that basic role and allow someone to install from the marketplace by themselves?

OR if its written down anywhere in the help docs that the permissions should be restricted for the basic role, that would be really helpful to see too!

Jack Brickey Community Leader Jul 15, 2021

Not that I'm aware of. It would be interesting to see if that user with basic access can in fact add another app.

Hey Jack! Hope your weekend was well.

Just wanted to let you know our admin team was able to connect with this user and do a little more investigation. The marketplace restriction works as intended with the Basic role preventing installations. (Thank you!)

The question as phrased is probably a 'solved' so this might be better suited to a new thread (not sure of the forum standard here), but it appears the issue is actually (or at least potentially) related to the OAuth 3LO option: https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/

User went to app that offers an oauth connection to Jira. App uses their token to access the data. App installs in the jira instance without an admins approval but only that user has access. Possible to revoke their token or to uninstall the app completely.

How can these apps be prevented from being installed? Are there any system level settings that can block users from okaying oauth tokens for the jira instance, etc.?

For my own sense of this:  a Team-Managed or Company-Managed Project Administrator cannot install add-on's.  Is this correct?

Hey Mark!,

What Jack was referring to is this setting in the user administration. The "basic" role is not tied to the project but rather the users' whole login to the site.

Screen Shot 2021-10-25 at 9.32.25 AM.png

To prevent a user from installing an app from the app marketplace you just need to make sure they have the basic role. So a company-managed project admin may still only be a 'basic' user on your jira instance; and so they will not be able to install a marketplace app.


Unfortunately there's other ways that apps can get installed through 0Auth on user login tokens, and this is seemingly not able to be restricted no matter what permissions are given to the user (in a project or in the user administration settings).

Like # people like this
Jack Brickey Community Leader Oct 25, 2021

Correct…

Thanks for the Clarification Oliver !

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Site Admin
TAGS

Atlassian Community Events