Control app access to content in Jira and Confluence with a new app access rule

@Angelina Ignatova When I tested App Access a few months ago, a single policy could be applied only to a surprisingly small set of spaces (15, I think). Is this limitation still in place?

I checked and according to the UI, the limitation I mentioned still exists:

Hi @Aron Gombas _Midori_ , yes there is an existing limit of 15 spaces per instance that can be added to a single policy and there is a limit of 50 polices per org so technically you can restrict apps' access to content in 15x50=750 spaces. Would be keen to understand more about your use case, how many spaces you are looking to add restrict and why? Thank you in advance!

@Angelina Ignatova You are absolutely correct about the 50*15 = 750.

But... even with that:

1. Keeping 50 policies use consistent settings is hard.
2. Adding every space manually to one of the 50 policies (and not forgetting a single space) is hard.
3. When a new space is created, for the admin not forgetting to add this to a policy is hard.

About our use case

In general, our app is targeting the Enterprise. We have Confluence Cloud sites with multi-thousand spaces! And expect more to come in the future when large teams migrate from Data Center.

Note that if a team started to use Confluence Server 15+ years ago and slowly migrated to Data Center and then to Cloud, plus there is a personal space for everyone, then supporting 750 spaces is nothing, sorry. On DC we have customers with 20,000+ spaces and more than a million pages.

A few ideas to enable App Access Rules for the Enterprise:

1. Elevated limits: 50 policies are probably fine, but elevate the 15 spaces to at least 1000 per policy. Or even better, 10K.
2. Allowlist: Also support "allowlists", not only "blocklists". (I mean let the admin specify which spaces an app has access to, not the opposite.)
3. Dynamic coverage: Allow policies to be applied to an dynamic set of spaces where:
   1. a pattern is matched to the space key/name
   2. or eventually a CQL query collects the spaces.
   3. The idea is that instead of manually collecting them, let a policy cover all spaces with "Knowledge Base" in its name, e.g.
4. (Consider not making App Access Rules a Premium feature. At least Standard should support this.)

We have created a Confluence app where you can restrict access by space, group, users or simply turn features on/off. If Space Content Manager can do it (built in Forge) then I bet Atlassian can as well.

Thank you @Aron Gombas _Midori_ , I appreciate the detailed feedback.

Any plans to bring this to Data Center?

Sorry for what a stupid question, but where / how do I actually access this feature and enact the policies?

I found no clue in the linked resources :) 

Or maybe it's because it's Friday of our release week... 

Thanks!

Does this impact the rule that "app cost is calculated from number of seats in whole Jira"? If I understand correctly, you can now limit the apps access to e.g. a single project, which may only be used by 1 person out of 1000s. Does this enable us to buy an app that just one small team needs, without paying for thousands of unused app seats?

@Kristian Klima To access this, go to admin.atlassian.com -> select a concrete site -> Security -> Data security policies.

@lvnenk This feature (right now) does not affect licensing or billing for apps.

@Aron Gombas _Midori_ 

Interesting, every time I encounter Admin -> select a concrete site ->... I get stuck. In all my Confluences :)

I obviously see the list of sites and products, but can't select them, just have the option to click the three dots menu.

The way about this is Security -> Security (in the top bar in the Admin section) -> Data security policies -> Create a new policy... and I was able to select the specific products/sites during the process.