Block third-party app access
By default, third-party apps can access data such as Confluence pages and Jira issues in the apps in which they’re installed. You can use a data security policy to help manage certain third-party app access to your organization’s data. What is a data security policy?
The way the third-party app access rule works depends on your subscription. All org admins are able to block all eligible third-party apps from accessing user-generated content such as Confluence pages and Jira issue data in their org. Customers with Atlassian Guard Standard have more fine-grained control over which third-party apps are blocked and when those third-party apps are blocked.
Not all third-party apps are eligible for blocking with the third-party app access rule capability. Which apps can’t be blocked?
Block all eligible third-party apps
Who can do this? |
To block all eligible third-party apps:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Data security policies.
From your policy, select Add rule.
Select Marketplace App Access.
Under Type, select Allowlist, then Next.
Follow the prompts to configure the rule then Save.
Once you do this, all eligible current and any eligible future third-party apps installed in apps covered by this policy will be blocked from accessing data.
Use an allowlist to allow some eligible third-party apps but block all others by default
Who can do this? |
An allowlist blocks all eligible third-party apps by default, only allowing the eligigle third-party apps you add to the list. You can add up to 20 third-party apps to the allowlist. If you need to allow more third-party apps, consider using a blocklist.
To use an allowlist:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Data security policies.
From your policy, select Add rule.
Select Marketplace App Access.
Under Type, select Allowlist, then Next.
Choose the third-party apps that are allowed to access data. If you don’t add any third-party apps, all eligible third-party apps will be blocked.
Review your selection and select Add rule.
Any future third-party apps eligible for blocking that you install on app covered by this policy will be blocked from accessing data unless you add them to the allowlist.
Use a blocklist to block specific third-party apps
Who can do this? |
A blocklist allows all third-party apps by default, only blocking the eligible third-party apps you add to the list. You can add up to 20 third-party apps to the blocklist. If you need to block more third-party apps, consider using an allowlist or create multiple policies.
To use a blocklist:
Go to Atlassian Administration. Select your organization if you have more than one.
Select Security > Data security policies.
From your policy, select Add rule.
Select Marketplace App Access.
Under Type, select Blocklist, then Next.
Choose the third-party apps that are not allowed to access data. If you don’t add any third-party apps, all third-party apps will be allowed.
Review your selection and select Add rule.
Any future third-party apps installed on products covered by this policy will be allowed to access data, until you add the installed third-party apps you wish to block to the blocklist.
How this rule works
What data will be blocked?
The third-party app access rule prevents third-party apps from accessing certain user-generated content, such as Jira issues and Confluence pages. Third-party apps may still be able to access some types of user-generated content, such as space and project names. For more information about what data is covered by the third-party app access rule, see App access rule coverage summary.
What third-party apps will be blocked?
Blocking third-party app access will block access to certain data for installed third-party apps, third-party app updates, and future third-party app installs. Some third-party apps cannot be blocked. For more information about third-party apps that cannot be blocked, see Apps that cannot be blocked by app access rules.
What will my users experience?
When third-party app access is blocked, users will no longer see third-party apps in Confluence spaces or Jira projects in which they are blocked, and the third-party apps will behave as though they have been uninstalled. Users will see errors informing them that the third-party app cannot be loaded in macros, links to third-party apps will no longer be accessible, and supporting third-party app functions such as inline dialogues will no longer appear.
When third-party app access is allowed, third-party apps will appear as normal and all third-party app functions will be available. If you allow third-party app access athird-party app that was previously allowed and then blocked, historical data saved by that third-party app in third-party app storage may be out of date or unavailable, depending on the third-party app’s data retention policy.
What happens to a third-party app if it's uninstalled or the policy coverage changes?
When you uninstall athird-party app or change the coverage of a policy, your third-party app access allowlists and blocklists do not change. This means that if you decide to reinstall a third-party app, or make more changes to a policy’s coverage, your original decision to block or allow that third-party app is respected.
In the example above, the policy says that three third-party apps are blocked but only two third-party apps appear on the blocklist. This indicates that there’s an app associated with the policy that will reappear if it is reinstalled or the policy coverage changes again.
If you need to make significant changes to your policy and don’t want the decision to block or allow a third-party app to persist, we recommend you remove the third-party app from the blocklist or allowlist before changing the policy coverage or uninstalling the third-party app. Alternatively, you can create a new policy and delete the existing one.
Other considerations
Before applying a third-party app access rule, consider informing the admins and users of any sites, Confluence spaces, and Jira projects where you intend to apply the rule.
When preparing to use a third-party app access rule, you should consider the following points:
If you block third-party app access, it will not affect the data that a third-party app had stored before the rule was applied. This means that the third-party app may still have data stored externally after blocking and third-party apps may display outdated data in sites, Confluence spaces, or Jira projects where it is not blocked. The retention of third-party app data is subject to the third-party app developer's data retention policy. It is recommended that you check the privacy policy available from the third-party app’s listing page or reach out to the partner if you have questions about the third-party app's data retention policy.
Third-party apps can still be installed on a site where third-party apps are blocked, but they cannot access certain data. When blocking third-party app access, the third-party app will remain installed.
Third-party app developers can add features at a Confluence site level, such as on your home page feed and settings page, or at a site level, such as permission schemes and other shared configuration. If you block a third-party app in a site’s Confluence spaces or Jira projects, the third-party app’s site features will still be visible. If a site feature includes information about a Confluence space or Jira project where third-party apps are blocked, it may appear that the third-party app can still access that space or project, but the third-party app cannot access certain data and may display incorrect information. For example, if a third-party app saves information about issues in its own third-party app storage, it is possible for the third-party app to display outdated information from its third-party app storage without current access to the actual issue data, depending on the third-party app’s data retention policy.
An admin can still update a third-party apps that’s blocked, but they won’t be notified that it’s blocked in a particular Confluence space or Jira project. When managing third-party apps for a site, an admin will see a BLOCKED lozenge displayed next to each app that is blocked in one or more projects by an app access rule. Review the data security policy settings to identify the specific spaces or projects affected.
You can add up to 15 items (spaces or projects) from one or more app instances to a policy. If you need to add more items than this, you can create another policy. Your org can have up to 50 policies at a time.
You can add up to 20 third-party apps to a blocklist or allowlist.
When does a new third-party app access rule take effect?
If your policy is inactive, the rule only applies after the policy is activated.
If your policy is active, the rule is applied immediately to the coverage.
For more information on activating your policy, see Create a data security policy | Atlassian Support.
What if multiple policies apply to the same space or project?
You may inadvertently add a site, Confluence space, or Jira project to more than one policy. In this case, if you block a third-party app in one policy while in another you allow it, and both policies are active, the third-party app is blocked.
If at least one active policy specifies that the third-party app is blocked for that site, Confluence space, or Jira project, it is blocked.
What about permissions to access data that the third-party app requests as it’s being installed?
When you install a third-party app, you receive a message as part of the installation flow about the third-party app's actions. There may also be information on how the third-party app manipulates your data, such as whether it reads, writes, or deletes data.
Third-party apps blocked by the third-party app blocking rule lose all ability to read, write, or delete the user-generated content that is covered by the third-party app access rule, regardless of permissions. However, blocked third-party app will still have the ability to make certain changes (for example, read and make changes to user groups and permission schemes), if allowed by the permissions requested at installation. For more information, see Apps that cannot be blocked by app access rules. Third-party apps that are allowed can perform any of the actions stipulated on installation, subject to user permissions.
Was this helpful?