How does app access work?
As an admin, you can configure app access for users in your organization in two ways:
1. Assign app roles
To give users app access, you must assign them a role in Atlassian Administration. Organization admins are able to assign roles. User access admins can also do this, but only for apps they administer. A site admin in the original user management experience can assign roles in their site.
2. Apply in-app permissions
This is an additional layer of access that gives more granular control over specific areas. For example, you can use in-app permissions to limit a user’s access to secret Jira projects or confidential Confluence spaces. Both organization admins and app admins can apply this level of permissions.
You can also use groups to assign roles or apply in-app permissions for multiple users at the same.
Assign app roles
As an organization admin, you can grant app access to users by:
assigning an app role when you invite a user to your organization
adding one or more users to a group
A user access admin can also do these tasks, but only for apps they administer. This means if an app’s default group also includes apps they don’t administer, a user access admin won't be able to grant access to that app. Troubleshoot issues related to managing groups
The following image is an example of a user who has been assigned a role for Jira and for Confluence. This user was automatically added to the default groups for the roles they were assigned.
This user was not assigned a role for the Confluence app in acme-support.atlassian.net
.

Apply in-app permissions
If your organization needs confidential Jira projects or Confluence spaces, you might want to grant or restrict access based on a user’s role or employment status within your organization. For example, you may want to restrict access for contractors and vendors, but only allow access to certain spaces for your legal or HR teams.
In-app permissions can be set up by app admins from within the app and applied to groups created in Atlassian Administration. Groups can help you to apply and manage the same level of access for multiple users in your organization, who have similar access requirements.
You can manage your in-app permissions from the following places:
App | Where to manage in-app permissions | Roles that can do this |
---|---|---|
Confluence | Open Confluence and select the settings cog in the navigation bar. | Confluence admin
|
Jira | Open Jira and select the settings cog in the navigation bar > Jira settings > System. | Jira admin
|
Why do we need groups?
Groups can help you reduce the time it takes you to set up access for multiple users. You can use groups to assign default app roles and to manage in-app permissions.
By creating groups to manage in-app permissions, you can precisely control access to confidential information for multiple users. Learn how to create and update groups
Like organization admins, user access admins can use groups to set up app access. However, user access admins can only set up access to apps they administer. This means if an app’s default group also includes apps they don’t administer, a user access admin won't be able to set up access to that app. Troubleshoot issues related to managing groups
Use groups to assign access
The following image is an example of how one group (All employees) may be created to manage access for multiple users to many apps at once.
The group – Customer support team – is not a default group. In this example, one user has been added to this group, granting them access to an additional Confluence app (acme-support.atlassian.net
) that the other three users don’t have access to.

Use groups to apply in-app permissions
The following image is an example of how in-app permissions can be applied to multiple users (in this case the Marketing group) using one group. In-app permissions are managed within the app, but you create a group and manage its membership in Atlassian Administration.

Examples of how you might use groups
Onboard new members of a team
Let’s see how we can make use of groups to onboard new members of an HR team. This team uses the following apps and project spaces:
Confluence: used by everyone across your organization.
Jira Service Management: to store general HR tickets.
HR policies and procedures, a Confluence space for all general HR information.
HR personnel information, a Confluence space to store confidential information.
From your organization at admin.atlassian.com create a group. Let’s call it HR-team. We’ll use this group to manage access to all apps for everyone in HR in your organization.
Add the Confluence and Jira Service Management apps to the HR-team group. This gives all group members access to spaces in Confluence (like HR policies and procedures) and to projects in Jira Service Management – excluding anything confidential.
Then, we’ll create another group, let’s call it HR-confidential. This is the group where we’ll apply the in-app permissions for Confluence.
From your Confluence settings, restrict default access to the HR personnel information space and allow access only to members of the HR-confidential group. Learn how to assign Confluence Cloud space permissions
When a new HR team member joins your organization, add them to the HR-team group to grant them access to Confluence and Jira Service Management
When people move teams
You can also use groups when someone moves teams. For example, if Omar is moving from the Legal team (let’s call it the Legal-team group) to HR, remove Omar from the Legal-team group and add them to the HR-team group. If Omar’s role requires access to the Confluence space that contains sensitive information, add them to the HR-sensitive group too.
Grant everyone access to a new app
Groups are also useful to grant access quickly when you add new apps to your organization. Let’s say you want to grant the HR team access to Jira(an app you’ve added to your organization recently). You can grant this access to all members of the HR-team group from the app details page, or from the group details page.
Was this helpful?