• Documentation

Block app access

By default, apps can access data such as Confluence pages and Jira issues in the products in which they’re installed. You can use a data security policy to help manage certain app access to your organization’s data. What is a data security policy?

The way the app access rule works depends on your subscription. All org admins are able to block all eligible apps from accessing user-generated content such as Confluence pages and Jira issue data in their org. Customers with Atlassian Guard Standard have more fine-grained control over which apps are blocked and when those apps are blocked.

Not all apps are eligible for blocking with the App access rule capability. Which apps can’t be blocked?

Block all apps

Who can do this?
Role: Organization admin
Plan: Available with any plan (Note: Customers with Atlassian Guard Standard should block all apps by creating an empty allowlist instead of using this process)

To block all eligible apps:

  1. From your policy, select the App access rule.

  2. Select Block app access to data.

  3. Save your changes.

Once you do this, all eligible current and any eligible future apps installed in products covered by this policy will be blocked from accessing data.

Use an allowlist to allow some apps but block all others by default

Who can do this?
Role: Organization admin
Plan: Atlassian Guard Standard

An allowlist blocks all eligible apps by default, only allowing the apps you add to the list. You can add up to 20 apps to the allowlist. If you need to allow more apps, consider using a blocklist.

To use an allowlist:

App access rule list type option with allowlist selected
  1. Select Allowlist as the default behavior.

  2. Choose the apps that are allowed to access data. If you don’t add any apps, all eligible apps will be blocked.

  3. Review your selection and save.

Any future apps eligible for blocking that you install on products covered by this policy will be blocked from accessing data unless you add them to the allowlist.

Use a blocklist to block specific apps

Who can do this?
Role: Organization admin
Plan: Atlassian Guard Standard

A blocklist allows all apps by default, only blocking the apps you add to the list. You can add up to 20 apps to the blocklist. If you need to block more apps, consider using an allowlist or create multiple policies.

To use a blocklist:

App access rule type options with blocklist selected
  1. Select Blocklist as the default behavior.

  2. Choose the apps that are not allowed to access data. If you don’t add any apps, all apps will be allowed.

  3. Review your selection and save.

Any future apps installed on products covered by this policy will be allowed to access data, until you add the installed apps you wish to block to the blocklist.

How this rule works

What data will be blocked?

The app access rule prevents apps from accessing certain user-generated content, such as Jira issues and Confluence pages. Apps may still be able to access some types of user-generated content, such as space and project names. For more information about what data is covered by the app access rule, see App access rule coverage summary.

What apps will be blocked?

Blocking app access will block access to certain data for installed apps, app updates, and future app installs. Some apps cannot be blocked. For more information about apps that cannot be blocked, see Apps that cannot be blocked by app access rules.

What will my users experience?

When the Block app access option is selected, users will no longer see apps in Confluence spaces or Jira projects in which they are blocked and the apps will behave as though they have been uninstalled. Users will see errors informing them that the app cannot be loaded in macros, links to apps will no longer be accessible, and supporting app functions such as inline dialogues will no longer appear. When Allow app access is selected, apps will appear as normal and all app functions will be available. If you Allow app access for an app that was previously allowed and then blocked, historical data saved by that app in app storage may be out of date or unavailable, depending on the app’s data retention policy.

What happens to an app if it's uninstalled or the policy coverage changes?

To make sure your decision to block or allow an app to access data persists, we remember which apps were added to the allowlist or blocklist as long as the policy exists.

This means that if an app is uninstalled or the policy coverage changes (for example, product instances are removed from the policy coverage, or the selected spaces and projects no longer exist), the app remains on your blocklist or allowlist. If the app is later reinstalled or the policy coverage changes again, your original decision to block or allow that app is respected.

App access rule allowlist that does not display an app that was uninstalled in the allowlist

In the example above, the policy says that 3 apps are blocked but only 2 apps appear on the blocklist. This indicates that there’s an app associated with the policy that will reappear if it is reinstalled or the policy coverage changes again.

If you need to make significant changes to your policy and don’t want the decision to block or allow an app to persist, we recommend you remove the app from the blocklist or allowlist before changing the policy coverage or uninstalling the app. Alternatively, you can create a new policy and delete the existing one.

Other considerations

Before applying an app access rule, consider informing the admins and users of any sites, Confluence spaces, and Jira projects where you intend to apply the rule.

When preparing to use an app access rule, you should consider the following points:

  • If you block app access, it will not affect the data that an app had stored before the rule was applied. This means that the app may still have data stored externally after blocking and apps may display outdated data in sites, Confluence spaces, or Jira projects where it is not blocked. The retention of app data is subject to the app developer's data retention policy. It is recommended you check the Privacy policy available from the app’s listing page or reach out to the partner if you have questions about the app's data retention policy.

  • Apps can still be installed on a site where apps are blocked, but they cannot access certain data. When blocking app access, the app will remain installed.

  • App developers can add features at a Confluence site level, such as on your home page feed and settings page, or at a site level, such as permission schemes and other shared configuration. If you block an app in a site’s Confluence spaces or Jira projects, the app’s site features will still be visible. If a site feature includes information about a Confluence space or Jira project where apps are blocked, it may appear that the app can still access that space or project, but the app cannot access certain data and may display incorrect information. For example, if an app saves information about issues in its own app storage, it is possible for the app to display outdated information from its app storage without current access to the actual issue data, depending on the app’s data retention policy.

  • An admin can still update apps that are blocked, but they won’t be notified that it’s blocked in a particular Confluence space or Jira project. When managing apps for their site, the admin will see a BLOCKED lozenge displayed next to each app that is blocked in one or more projects by an app access rule. Review the data security policy settings to identify the specific spaces or projects affected.

  • You can select items from a maximum of 15 different product instances, to add to a policy. We limit you to 15 items (spaces or projects) from each product instance.  If you need to cover more items than this, you can create another policy. Your org can have up to 50 policies at a time.

  • You can add up to 20 apps to a block list or allow list.

When does a new app access rule take effect?

When you apply a rule to your policy, its effect depends on whether the policy is active or not:

  • If your policy is inactive, the rule only applies after the policy is activated.

  • If your policy is active, the rule is applied immediately to the coverage.

For more information on activating your policy, see Create a data security policy | Atlassian Support.

What if multiple policies apply to the same space or project?

You may inadvertently add a site, Confluence space, or Jira project to more than one policy. In this case, if you block an app in one policy while in another you allow it, and both policies are active, the app is blocked.

If at least one active policy specifies that the app is blocked for that site, Confluence space, or Jira project, it is blocked.

What about permissions to access data that the app requests as it’s being installed?

When you install an app, you receive a message as part of the installation flow about the app's actions. There may also be information on how the app manipulates your data, such as whether it reads, writes, or deletes data.

Apps blocked by the app blocking rule lose all ability to read, write, or delete the user generated content that is covered by the app access rule, regardless of permissions. However, blocked apps will still have the ability to make certain changes (for example, read and make changes to user groups and permission schemes), if allowed by the permissions requested at installation. For more information, see Apps that cannot be blocked by app access rules. Apps that are allowed can perform any of the actions stipulated on installation, subject to user permissions.

Still need help?

The Atlassian Community is here for you.