Note: Staged rollout for the app access rule has begun, meaning it is now live for customers to discover and interact with. If you haven’t yet, please review the data security policies developer guide to see if your app experience requires adjustments.

Over the past few years we’ve been working hard to bring you more tools to meet customer trust expectations in cloud. At the same time, we’ve been working to bring customers more controls so they can benefit from the many use cases your apps enable, while ensuring their security and privacy requirements are met.

One of the key things customers express concern about when it comes to both Atlassian cloud products and associated cloud apps is data protection and security. Customers often want to know and exercise control over who has access to what data. This includes knowing and managing app access to content.

To help customers meet this need, at the end of this quarter we plan to release a new app access rule which allow customers to block apps from accessing certain content in selected Confluence spaces or Jira projects under a given data security policy.

How will the app access rule work?

App access rules can be applied under a data security policy. When an organization admin applies an app access rule in a given space or project, apps will lose access to a number of content types (primarily user generated content – you can see the full list here) in that space or project.

There will be two variations of the app access rule available:

  1. An app access rule to allow or block ALL apps in a given space or project. This will be available to all Atlassian Cloud customers.
  2. An app access rule to block selected apps while allowing access for others. This will be available to customers with Atlassian Guard only.

When enacting an app access rule, org admins will be warned that the app’s functionality will be impacted in the restricted space or project. These impacts might be substantial depending on how your app is built.

End users will be able to see in-product warnings anywhere that your app would normally appear in the UI letting them know that the app has been blocked in the current location.

Blocked app macro with warning

However, if an app relies on data from restricted spaces or projects, user experience may be impacted in other spaces where the app is not blocked. This may confuse end users or present them with incorrect data if the app is not adjusted to account for the impacts of app blocking.

For this reason, we highly recommend testing out the app access rule and considering adjusting your app to warn users when it’s impacted by an app access rule.

When is this happening?

We have been communicating about the app access rule in the developer community and change log every few weeks since July 2023, and held a workshop for developers on the app access rule API and events at Atlas Camp in December. Early access has been available to partners since late November 2023.

In keeping with our promise to customers on our public roadmap, we plan to release this feature to customers at the end of March / early April 2024.

For our initial release we will only proactively alert customers who we know have concerns about app access to data to ensure they know how to use the feature. That way we can support customers who are currently unable to use apps in cloud without this control in the short term, while giving you extra time to prepare.

We plan to do a larger announcement in mid-2024 calendar year once you’ve had some time to observe and make adjustments to your apps.

What should I do if I want to know more about my app’s behavior when blocked?

When an app is blocked, end users will either not see the app at all in blocked spaces or projects, or they will see a warning from Atlassian letting them know that the app has been blocked by an administrator. At the account level, users will also be able to see which apps are impacted by a block from their organization admin.

Jira issue warning with CTA to view blocked apps
Space page, settings and custom content warning
Connected apps tab at the account level with blocked app information

In this way, we will proactively communicate with end users when a block is in place. However, we understand that you will need to know when your app is blocked for support purposes, and may want to make your own adjustments to your app’s end user experience (especially if you have an app that aggregates data across spaces or projects).

You can sign up to test the app access rule in your own environment today

In order to help you prepare for app access rules, we released a new app access rule API and plan to release related events in the coming weeks. These will allow your app to detect when it is blocked (which could be helpful in support scenarios) and make any desired changes to the end user experience of your app beyond what Atlassian will provide by default. You can read about the new app access rule APIs for Jira and Confluence, and app access rule related events in the Data security policy developer guide.

The app access rule has been available to partners as part of an early access program since November 2023. If you have concerns or would like to test the rule or API in your own environment, feel free to sign up here for early access.

You can also review documentation and start preparing your app

If you’re not too concerned but would like to be aware of your options in case you find that customers are asking questions, you can read more about the app access rule API here for Jira and here for Confluence, and you can read more about the feature here.

Thank you for your continued commitment to providing customers a secure, trustworthy cloud experience. To learn more about what makes a trustworthy cloud app, and to up-level your app’s trust posture, visit Grow Customer Trust in the Partner Portal.

App access rules are coming soon: what does this mean for your apps?