Today we had a problem when a Confluence instance installed our add-on.
During install and during all subsequent requests the add-on got 403 responses on the calls to Confluence.
It turned out that our customer used non-standard groups to define product access, and our add-on user was not added to such a group by default.
However this was really hard to debug, because in the user admin screen, our add-on user was not visible.
In the end Atlassian support had to resolve the issue.
Is it possible (for a vendor) to see in which groups an add-on is installed, and to check if an add-on actually has product access?