• Documentation

We’re renaming ‘products’ to ‘apps’

Atlassian 'products’ are now ‘apps’. You may see both terms used across our documentation as we roll out this terminology change. Here’s why we’re making this change

Third-party app access rule coverage summary for Confluence Cloud

Third-party app access rule coverage summary for Confluence Cloud

Using third-party app access rules, customers can customize and extend Confluence while maintaining control over third-party app access to certain content in specific spaces.

This page should be read along with App access rule coverage summary | Atlassian Support, that provides an overview of the types of third-party apps and content that is blocked or not blocked by a third-party app access rule.

This page provides a summary of:

  • Confluence third-party app functionality that is blocked when an app access rule applies

  • Confluence third-party app functionality that is allowed (NOT blocked) when an app access rule applies

Confluence

You can create a third-party app access rule to limit a third-party app’s ability to access and modify certain data in a Confluence space—particularly user-generated content such as pages, blog posts, attachments, and other content that a user adds to a Confluence space.

When a third-party app access rule doesn’t block a third-party app from access to data, the third-party app will almost always use only a subset of the possible actions rather than all of them. For example, a third-party app may need to read but not modify existing content, so it would not use functionality that creates, updates, or deletes content. To better understand the actions your third-party apps perform when they have access to a space, check each third-party app’s permissions which can be found on the third-party app’s Marketplace listing in the Integration Details section.

Third-party apps that are blocked in a space by a third-party app access rule may still take other actions that do not interact with user-generated content, such as updating the look and feel of Confluence. Global admin permissions may still be required to run certain third-party apps. For example, if a Confluence user does not have admin permissions, they can’t use a third-party app to perform administrative functions like adding users.

To view a detailed list of the third-party app functionality that is blocked or still allowed when an access rule applies, see App Access for Confluence Cloud REST APIs.

Confluence third-party app actions blocked by the third-party app access rule

The following commonly-used Confluence functionality is blocked when a third-party app is blocked by the third-party app access rule. For the full list of blocked functionality see App Access for Confluence Cloud REST APIs.

Reading the body of, creating, updating, or deleting specific pieces of user-generated content, including permanently deleting content that has already been moved to the trash

  • pages

  • blog posts

  • attachments

  • comments (inline or page level)

  • custom (app-defined) content

Retrieving a list of, and returning details about

  • pages matching specified criteria, such as within a space or with a particular label

  • blog posts matching specified criteria, such as within a space or blog posts with a particular label

  • the children, ancestors (parent pages), attachments, or comments for a page

  • versions of a piece of content, including metadata such as the creator, last update date, and current version number

  • spaces, with details such as the space key, icon and name, description, permissions that apply to actions on the space, look and feel settings like theme, and the home page.

  • content matching a CQL search query

Reading, creating, updating, or deleting content properties stored by a third-party app, for

  • pages

  • blog posts

  • attachments

  • comments (inline or page level)

  • custom (third-party app-defined) content

Interacting with content in the following additional ways

  • reading, creating, updating, or deleting restrictions for a piece of content

  • moving or copying a piece of content to a new location

  • deleting a specific version of a piece of content, or restoring an old version as the current version of a piece of content

  • listing information such as

    • permissions for one or more pieces of content (an admin can list permissions for all pages; a non-admin user can only list their own permissions)

    • all pages in draft status

    • users who watched or liked a specific piece of content

    • content watched or liked by a specific user

    • tasks that appear on pages

  • archiving content

  • retrieving content analytics containing the total number of views and total number of unique user views for a specific piece of content.

  • applying or removing labels from content

  • adding or removing a user as a watcher of a space or label

  • updating the details of a specific task

  • moving one or more pages in draft status to published status

Confluence third-party app actions not blocked by the third-party app access rule

There are some elements of app functionality and data that you cannot block with a third-party app access rule. Generally, these are related to system-compiled or general data such as app look and feel customizations, Confluence templates, content “watch” information, and user and group management.

The following commonly-used Confluence functionality is not blocked when a third-party app is blocked by the third-party app access rule. For the full list of third-party app functionality that cannot be blocked by a third-party app access rule, see App Access for Confluence Cloud REST APIs.

Auditing

  • reading or creating audit records

  • getting or setting retention periods for audit records

Content watchers

  • listing all users who watched a space or label, or all spaces or labels watched by a particular user

  • adding or removing a particular user from the list of users watching a specific label or space

Dynamic modules

  • using dynamic modules that provide customized behavior to different users

  • listing all dynamic modules registered by this third-party app

  • registering dynamic modules so that they can be used by this third-party app, and removing them so that they can no longer be used by this third-party app

Group management

  • listing all user groups on the third-party app user’s current Confluence instance

  • reading information about a Confluence user group, including the group name and internal group ID

  • adding or removing Confluence user groups

  • listing the users who are members of a Confluence user group

  • adding and removing members from a Confluence user group

Operation management

  • listing the permitted operations for the space. Operations are actions that a user or API is permitted to take on a specific piece of content or space. Examples include, but are not limited to, create, read, update, delete, copy, export, and purge.

Confluence settings

  • reading, resetting to the system default, or updating “look and feel” settings for a Confluence space (theme in use, color used for menus, and so on)

Spaces

  • creating, updating the details of spaces

  • reading the details of a space including its name, homepage, status, type, and permissions for the space and pages, blog posts, comments, attachments, and third-party apps within that space

  • listing the spaces in a Confluence instance

  • listing, adding and removing permissions for a user, group, or role to a particular space

  • listing, adding, updating, and removing properties of a space

Templates

  • listing all templates for a site or space, including blueprint templates

  • adding, updating, or removing a template

Themes

  • listing all admin-driven themes that an admin installs from the marketplace into a space or site

  • resetting a space’s theme to the global admin-driven theme

  • reading information about a theme

  • listing the current theme in use for a space, and updating which theme is used for a space

  • listing the global admin-driven theme for the Confluence instance

User management

  • reading the details for one or more users at a time, such as their account ID, display name, space name, email address, profile picture, and Confluence permissions

  • reading the details of the Confluence instance’s anonymous user account, including its display name, profile picture or icon, and Confluence permissions (the anonymous user account provides generic user details for users who are not logged in to Confluence)

  • getting the account ID of the user who is running the app and reading the details for that user

  • listing information for a user such as:

    • the Confluence groups to which that user belongs

    • values of user properties defined at the site level for that user

  • creating, updating, and deleting user properties for a specific user

Related links:



Still need help?

The Atlassian Community is here for you.
Ask the Community
On this pageThird-party app access rule coverage summary for Confluence CloudConfluenceConfluence third-party app actions blocked by the third-party app access ruleConfluence third-party app actions not blocked by the third-party app access rule
CommunityQuestions, discussions, and articles