Guidance Secure plugin installation.

Pavan kumar
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 10, 2024

We are currently reviewing plugin apps in our JIRA environment, which contains highly sensitive information. Before installing plugins, we need to assess certain measures. Initial investigations revealed that the "Cloud Fortified" app offers the highest security in the Atlassian Marketplace. However, we found that any app installed in our Atlassian environment automatically gains access to Project admin via the "atlassian-addons-project-access" role. We have the following questions:

  1. Is it safer to remove "atlassian-addons-project-access" from all permission schemes?
  2. Does the plugin have the capability to limit access to specific projects? Can we trust that the plugin won't access other projects?

Based on the open ticket, even after removing the "Atlassian-addons-project-access" role will be added 

Note: We cannot remove the role from the team-managed project permissions. Any guidance on that?


1 answer

0 votes
Walter Buggenhout
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 10, 2024

Hi @Pavan kumar and welcome to the Community!

As a general rule of thumb: do not remove "atlassian-addons-project-access" from permission schemes. There is no other way to grant apps the access they require to function properly and you may end up with unstable / unpredictable / erroneous behaviour with any apps you may be using.

In the Jira cloud feature request you refer to (JRACLOUD-81601) a comment links to this related Community post where Atlassian confirms the arrival of this app blocking capability.

Hope this helps! 

Suggest an answer

Log in or Sign up to answer
Site Admin
AUG Leaders

Atlassian Community Events