Block Marketplace and custom app access

By default, Marketplace and third-party apps can access data such as Confluence pages and Jira issues in the apps in which they’re installed. You can use a data security policy to help manage certain types of access to your organization’s data. What is a data security policy?

The functionality of the access rule depends on your subscription. All org admins are able to block all eligible Marketplace and custom apps from accessing user-generated content such as Confluence pages and Jira issue data in their org. Customers with Atlassian Guard Standard have more fine-grained control over which Marketplace and custom apps are blocked and when they’re blocked.

Not all Marketplace and custom apps are eligible for blocking with this rule. What cannot be blocked by the Marketplace and custom app access rule

Block all eligible Marketplace and custom apps

To block all eligible Marketplace and custom apps:

1. 移動 [アトラシアンの管理] に移動します。組織が複数ある場合は、対象の組織を選択します。

2. Select Security > Data protection > Data security policies.

3. ポリシーから、[ルールを追加] を選択します。

4. Select Marketplace App Access.

5. Under Type, select Allowlist, then Next.

6. プロンプトに従ってルールを設定し、[保存] を選択します。

Once you do this, all eligible current and any eligible future Marketplace and custom apps installed on Atlassian apps covered by this policy will be blocked from accessing data.

Use an allowlist to allow some eligible Marketplace and custom apps but block all others by default

The allowlist blocks all eligible Marketplace and custom apps by default, allowing only the ones you add to the list. You can add up to 20 Marketplace and third-party apps to the allowlist. If you need to allow more, consider using a blocklist.

許可リストを使用するには、以下の手順に従います。

1. 移動 [アトラシアンの管理] に移動します。組織が複数ある場合は、対象の組織を選択します。

2. Select Security > Data protection > Data security policies.

3. ポリシーから、[ルールを追加] を選択します。

4. Select Marketplace App Access.

5. Under Type, select Allowlist, then Next.

6. Choose the Marketplace and custom apps that are allowed to access data. If you don’t add any, all eligible Marketplace and custom apps will be blocked.

7. Review your selection and select Add rule.

Any future Marketplace and custom apps eligible for blocking that you install on Atlassian apps covered by this policy will be blocked from accessing data unless you add them to the allowlist.

Use a blocklist to block specific Marketplace and custom apps

A blocklist allows all Marketplace and custom apps by default, blocking only the eligible Marketplace and custom apps you add to the list. You can add up to 20 Marketplace and custom apps to the blocklist. If you need to block more, consider using an allowlist or create multiple policies.

ブロックリストを使用するには、以下の手順に従います。

1. 移動 [アトラシアンの管理] に移動します。組織が複数ある場合は、対象の組織を選択します。

2. Select Security > Data protection > Data security policies.

3. ポリシーから、[ルールを追加] を選択します。

4. Select Marketplace App Access.

5. Under Type, select Blocklist, then Next.

6. Choose the Marketplace and custom apps that are not allowed to access data. If you don’t add any, all Marketplace and custom apps will be allowed.

7. Review your selection and select Add rule.

Any future Marketplace and custom apps installed on Atlassian apps covered by this policy will be allowed to access data, until you add the installed Marketplace and custom apps you wish to block to the blocklist.

How the Marketplace and custom app rule works

どのデータがブロックされますか？

This rule prevents Marketplace and custom apps from accessing certain user-generated content, such as Jira work items and Confluence pages. Marketplace and custom apps may still be able to access some types of user-generated content, such as space and project names. For more information about what data is covered by this rule, see App access rule coverage summary.

What Marketplace and custom apps will be blocked?

Some Marketplace and custom apps cannot be blocked. For more information, see Apps that cannot be blocked by app access rules.

私のユーザーはどのような体験をするでしょうか？

Blocking access via this rule will block access to certain data for currently installed Marketplace and custom apps, any updates to them, and future Marketplace and custom app installations. Users can no longer see it or interact on pages or work items, and if it provides experiences at the space or project level, the information it displays will be restricted by what it has access to (for example, Jira work item details). If that Marketplace or custom app has its own data storage, it may retain data in line with its data retention policy. If you reinstall it during the data retention period, that data may still be retrieved and displayed when a user interacts with the Marketplace or custom app. Below are some general scenarios that apply to Marketplace apps, custom apps, third-party apps, and any other apps you add to your Atlassian apps. For more specific information, check the Other considerations section further down this page.

Scenario 1: You block a custom app with external storage

Imagine you block a custom app in two of your Confluence spaces. It had previously been installed, and saved data outside of the Atlassian cloud. People won’t see the custom app in either of those two spaces. The spaces will behave as if the custom app isn’t installed: they will display error messages when someone tries to load the custom app in a macro, links to the custom app won’t be accessible, and the space won’t support any of the custom app’s functions, such as displaying inline dialogues. The custom app can retain the data it’s stored until the end of its retention policy. Check the list in Other considerations on this page for the impact of blocking installed apps.

Scenario 2: You re-enable the custom app with external storage

Imagine you re-enable the same custom app that was previously blocked in two of your Confluence spaces. People will see the custom app in both of those two spaces, and before they start using it, you should check that it’s functioning as expected (see the list in Other considerations on this page for details). It can retrieve and display any data it stored previously if its retention policy allows it.

What happens to a Marketplace or custom app if it's uninstalled or the policy coverage changes?

When you uninstall a Marketplace or custom app or change the coverage of a policy, your allowlists and blocklists do not change. This means that if you decide to reinstall it, or make more changes to a policy’s coverage, your original decision to block or allow that Marketplace or custom app is respected.

In the example above, the policy says that three Marketplace or custom apps are blocked but only two Marketplace and custom apps appear on the blocklist. This indicates that there’s one additional installed app associated with the policy that will reappear if it is reinstalled or the policy coverage changes again.

If you need to make significant changes to your policy and don’t want the decision to block or allow a Marketplace or custom app to persist, we recommend you remove the app from the blocklist or allowlist before changing the policy coverage or uninstalling the the app. Alternatively, you can create a new policy and delete the existing one.

その他の考慮事項

When preparing to use a Marketplace and custom app access rule, you should consider the following points:

• If you block Marketplace and custom app access, it will not affect the data that it had stored before the rule was applied. This means that the Marketplace or custom app may still have data stored externally after blocking and it may display outdated data in sites, Confluence spaces, or Jira projects where it is not blocked. The retention of Marketplace or custom app data is subject to its retention policy. We recommend you check the privacy policy available from the Marketplace app’s listing page or reach out to the partner if you have questions about the Marketplace or custom app's data retention policy.

• Marketplace or custom apps can still be installed on a site where Marketplace or custom apps are blocked, but they cannot access certain data. When blocking Marketplace or custom app access, the Marketplace or custom app will remain installed.

• Marketplace or custom app developers can add features at a Confluence site level, such as on your home page feed and settings page, or at a site level, such as permission schemes and other shared configuration. If you block a Marketplace or custom app in a site’s Confluence spaces or Jira projects, its site features will still be visible. If a site feature includes information about a Confluence space or Jira project where Marketplace or custom apps are blocked, it may appear as if the Marketplace or custom app can still access that space or project, but it actually cannot access certain data and may display incorrect information.

  • For example, if a Marketplace or custom app saves information about issues in its own storage, it is possible for the Marketplace or custom app to display outdated information from its storage without current access to the actual issue data, depending on its data retention policy.

• An admin can still update a Marketplace or custom app that’s blocked, but they won’t be notified that it’s blocked in a particular Confluence space or Jira project. When managing Marketplace or custom apps for a site, an admin will see a BLOCKED lozenge displayed next to each app that is blocked in one or more projects by a Marketplace or custom app access rule. Review the data security policy settings to identify the specific spaces or projects affected.

• You can add up to 15 items (spaces or projects) from one or more Marketplace or custom app instances to a policy. If you need to add more items than this, you can create another policy. Your org can have up to 50 policies at a time.

• You can add up to 20 Marketplace or custom apps to a blocklist or allowlist.

When does a new Marketplace and custom app access rule take effect?

• ポリシーが無効である場合、ルールはポリシーが有効になった後にのみ適用されます。

• ポリシーが有効である場合、そのルールはすぐに適用されます。

ポリシーの有効化について詳しくは、「データ セキュリティ ポリシーを作成する | アトラシアン サポート」を参照してください。

同じスペースやプロジェクトに複数のポリシーが適用される場合

You may inadvertently add a site, Confluence space, or Jira project to more than one policy. In this case, if you block a Marketplace or custom app in one policy while in another you allow it, and both policies are active, the Marketplace or custom app is blocked.

If at least one active policy specifies that the Marketplace or custom app is blocked for that site, Confluence space, or Jira project, it is blocked.

What about permissions to access data that the Marketplace or custom app requests as it’s being installed?

When you install a Marketplace or custom app, you receive a message as part of the installation flow about the Marketplace or custom app's actions. There may also be information on how the Marketplace or custom app manipulates your data, such as whether it reads, writes, or deletes data.

Marketplace or custom apps blocked by a Marketplace and custom app blocking rule lose all ability to read, write, or delete the user-generated content that is covered by the rule, regardless of permissions. However, blocked Marketplace or custom apps will still have the ability to make certain changes (for example, read and make changes to user groups and permission schemes), if allowed by the permissions requested at installation. For more information, see Apps that cannot be blocked by app access rules. Marketplace or custom apps that are allowed can perform any of the actions stipulated on installation, subject to user permissions.