Control app access to content in Jira and Confluence with a new app access rule

Hello Community!

Marketplace apps give you more flexibility to customize and tailor your Atlassian solution. As of today, our developer community offers thousands of Marketplace cloud apps to help you build the perfect solution for your unique teams. However, we know that depending on your organization’s requirements, you may have concerns about giving third-party apps access to certain content in your environment.

Last year, to help you exercise more control over the content apps can access, we launched an early access program for the “app access” rule, which limits app access to content in specific Confluence spaces or Jira projects.

We’re excited to announce that the app access rule is now generally available for all Atlassian customers on Standard, Premium, and Enterprise plans!

What is the app access rule?

Data security policies help you keep your organization’s data secure by letting you govern how users, apps, and people outside of your organization can interact with content within Confluence spaces and Jira projects.

The app access rule is a new feature that allows org admins to restrict third-party app access to content in Confluence spaces and/or Jira projects. This allows you to benefit from the extended functionality apps provide while still limiting third-party access to certain content.

There are two possible configurations of the app access rule:

  1. Allow/block all app access: Any customer on a Standard, Premium, or Enterprise plan can set rules to prevent all in-scope 3rd-party Marketplace apps from accessing content in the spaces or projects under a policy.

  2. Allow/block select app access: Customers with Atlassian Guard or on the Enterprise plan can set rules to limit app access to only a few select, trusted apps in the spaces or projects under a policy. This allows you to get more granular with your controls so you can enable teams with the most critical or trustworthy apps while limiting access for other apps in certain spaces or projects.

What other options do I have to manage apps?

The new app access rule is the latest update we’re making to give you more control over the apps in your cloud environment. Over the past year, we’ve also released improvements to centralize app management in admin.atlassian.com and provide you with more control over end-user installs of certain types of apps that do not require admin installation (i.e., 3LO/OAuth 2.0 apps).

This is just the beginning! As we learn more about your needs in this area, we will continue to offer new options to control and manage Marketplace apps in the cloud.

Learn more about app access rule.

Have you used the app access rule in data security polices? We would love to hear from you in the comments!

12 comments

Comment

Log in or Sign up to comment
Aron Gombas _Midori_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 30, 2024

@Angelina Ignatova When I tested App Access a few months ago, a single policy could be applied only to a surprisingly small set of spaces (15, I think). Is this limitation still in place?

 

Aron Gombas _Midori_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 30, 2024

I checked and according to the UI, the limitation I mentioned still exists:

Administration.png

Angelina Ignatova
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 4, 2024

Hi @Aron Gombas _Midori_ , yes there is an existing limit of 15 spaces per instance that can be added to a single policy and there is a limit of 50 polices per org so technically you can restrict apps' access to content in 15x50=750 spaces. Would be keen to understand more about your use case, how many spaces you are looking to add restrict and why? Thank you in advance!

Aron Gombas _Midori_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 4, 2024

@Angelina Ignatova You are absolutely correct about the 50*15 = 750.

But... even with that:

  1. Keeping 50 policies use consistent settings is hard.
  2. Adding every space manually to one of the 50 policies (and not forgetting a single space) is hard.
  3. When a new space is created, for the admin not forgetting to add this to a policy is hard.

About our use case

In general, our app is targeting the Enterprise. We have Confluence Cloud sites with multi-thousand spaces! And expect more to come in the future when large teams migrate from Data Center.

Note that if a team started to use Confluence Server 15+ years ago and slowly migrated to Data Center and then to Cloud, plus there is a personal space for everyone, then supporting 750 spaces is nothing, sorry. On DC we have customers with 20,000+ spaces and more than a million pages.

A few ideas to enable App Access Rules for the Enterprise:

  1. Elevated limits: 50 policies are probably fine, but elevate the 15 spaces to at least 1000 per policy. Or even better, 10K.
  2. Allowlist: Also support "allowlists", not only "blocklists". (I mean let the admin specify which spaces an app has access to, not the opposite.)
  3. Dynamic coverage: Allow policies to be applied to an dynamic set of spaces where:
    1. a pattern is matched to the space key/name
    2. or eventually a CQL query collects the spaces.
    3. The idea is that instead of manually collecting them, let a policy cover all spaces with "Knowledge Base" in its name, e.g.
  4. (Consider not making App Access Rules a Premium feature. At least Standard should support this.)
Like # people like this
Stavros_Rougas_EasyApps
Atlassian Partner
June 5, 2024

We have created a Confluence app where you can restrict access by space, group, users or simply turn features on/off. If Space Content Manager can do it (built in Forge) then I bet Atlassian can as well.

Like Pete Dunham likes this
Angelina Ignatova
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 12, 2024

Thank you @Aron Gombas _Midori_ , I appreciate the detailed feedback.

Like Aron Gombas _Midori_ likes this
Scott Derderian
Contributor
June 13, 2024

Any plans to bring this to Data Center?

Like # people like this
Kristian Klima
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 14, 2024

Sorry for what a stupid question, but where / how do I actually access this feature and enact the policies?

I found no clue in the linked resources :) 

Or maybe it's because it's Friday of our release week... 

Thanks!

lvnenk
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
June 14, 2024

Does this impact the rule that "app cost is calculated from number of seats in whole Jira"? If I understand correctly, you can now limit the apps access to e.g. a single project, which may only be used by 1 person out of 1000s. Does this enable us to buy an app that just one small team needs, without paying for thousands of unused app seats?

Like # people like this
Aron Gombas _Midori_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 14, 2024

@Kristian Klima To access this, go to admin.atlassian.com -> select a concrete site -> Security -> Data security policies.

Like # people like this
Aron Gombas _Midori_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 14, 2024

@lvnenk This feature (right now) does not affect licensing or billing for apps.

Like # people like this
Kristian Klima
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 14, 2024

@Aron Gombas _Midori_ 

Interesting, every time I encounter Admin -> select a concrete site ->... I get stuck. In all my Confluences :)

I obviously see the list of sites and products, but can't select them, just have the option to click the three dots menu.

The way about this is Security -> Security (in the top bar in the Admin section) -> Data security policies -> Create a new policy... and I was able to select the specific products/sites during the process.

Like Aron Gombas _Midori_ likes this
TAGS
AUG Leaders

Atlassian Community Events