Third-party app access rule coverage summary

Overview

Cloud customers have the flexibility to control third-party apps' access to certain user-generated content when using Atlassian app. User-generated content includes items such as Confluence pages, blog posts, attachments, the organization of the content tree, and metadata about that content such as a page’s version history and ownership. User-generated content for Jira includes items such as summary, description, labels, and comments within issues. While we encourage the use of third-party apps to add functionality to our apps, sometimes organizations that keep internal-only, sensitive, or confidential information in our apps want to limit third-party app access to content in some projects or spaces while leaving the third-party apps free to function in others.

Using third-party app access rules, customers can customize and extend Jira and Confluence while maintaining control over third-party app access to certain content in specific projects or spaces.

A third-party app access rule is applied along with, not instead of, the user’s permissions. Third-party app functions that are available only to admin users cannot be used by users without those permissions, even when not blocked by a third-party app access rule.

The sections below provide a summary of:

• The types of third-party apps whose access to your data can be blocked by a third-party app access rule.

• The Atlassian app-specific functionality that is blocked when a third-party app access rule is in effect for that third-party app and the space or project, and the app functionality that is still allowed when a third-party app access rule is in effect.

Third-party apps

Blocking access with a third-party app access rule will block the app’s access to certain data for installed third-party apps, third-party app updates, and future third-party app installs, with a limited number of exceptions.

Specifically, you can apply a third-party app access rule to block access to data for any installed third-party apps except in the following circumstances:

• Third-party apps built and supported by Atlassian that are pre-installed and required for proper product functionality, such as Smart Links.

• Third-party app links that are used to connect Confluence and Jira app instances.

• Third-party apps that use Atlassian API tokens to access data, certain third-party apps in the Atlassian DevOps ecosystem, and certain third-party apps that are moving to Atlassian’s next-generation development platform, Forge.

• Whenever an admin has enabled public anonymous access to a space or project, anonymous users will be able to interact with certain blocked third-party apps accessing data in that space or project.

• A private app you are developing on Atlassian’s Forge platform, that you have installed in development or staging (a third-party app access rule can only be applied to private apps in production).

For a complete list of third-party apps that may not be able to be blocked, see Apps that cannot be blocked by app access rules.

Atlassian app-specific functionality

Each Atlassian app provides the ability to access and work with data specific to that app. For example, Jira provides functions related to issues, workflows, projects, and other Jira data objects. Confluence provides functions related to pages, blogs, whiteboards, spaces, and other Confluence objects.

See the following pages for a summary of Atlassian app-specific functionality that is blocked and not blocked when a third-party app access rule applies.

• Third-party app access rule coverage summary for Jira Cloud

  • Jira

  • Jira Service Management

• Third-party app access rule coverage summary for Confluence Cloud

  • Confluence Cloud

Related links:

• App Access for Confluence Cloud REST APIs

• App Access for Jira Cloud REST APIs