Forge Scope to be trusted within a domain

Hi guys

image

I noticed with one of my apps that I deployed that users don’t trust the “Allow access” button on their Confluence Page :sweat_smile:

This would then lead them not to use my app on their Confluence Page. They deem it to be untrustworthy and have had a few users tell me that they “never allow apps” to perform functions on their behalf. This is quite unfortunate as it would prevent me from being able to enhance the jobs of key staff in our company if this is their mentality.

Senior management has asked me to find out from Atlassian if it’s possible for our instance to somehow trust apps built by my team, so that this “Allow access” doesn’t appear to the user.

We already have our own Information Security Teams that manage the protection of our staffs privacy, that often put us on courses etc to make sure we’re aware of privacy.

If it’s not possible, that’s understandable. Looking forward to hearing from anyone on this matter.

7 Likes

Instead of getting rid of that screen, what information would we need to show in that screen for your users to trust it? The organisation that built the app? The user(s) that own the app? Some sort of custom message from the admin?

It would be really great if you could ask those users what would make them trust the app. Cheers

1 Like

I like the idea of a security contact for the company/domain having the ability to OK the access for the whole company rather than the idea of every single person from the company having to do this.

I’m happy to be convinced why this would be a bad idea. Tell me. :upside_down_face:

6 Likes

I’m with @david on this one.

I get that Forge is all about security, and giving users choices in that regard, but that dialog/workflow is just poorly thought out. Users have no clue what’s behind it, or why they should approve it. They have to approve it for each and every app that is installed, and there is no discernible “consequence” to not approving.

By that I mean… assume an admin installs an app that exposes a macro. Then that admin generates a bunch of pages that use that macro, and whatever that macro does, has important content for all users that see the page. Except… each user has to approve the page, and if they don’t they completely miss whatever content is behind it.

I think overall, the entire workflow of what you’re trying to accomplish with this dialog should be rethought.

6 Likes

I’m showing my lack of Forge knowledge here, but what is shown to anonymous users?

  • Do they just see the app?
  • Or does the first anon user get to OK it for all the others?
  • Or something else?

I fully agree with @ademoss !

inside an organization / company the apps are installed by admins. New apps are sometime requested from key users , groups or sounding boards.
The end user just relies what is available to create a meaningful content. He is not able to decide yes/no.

So the process of verification should start at the installlation time!
The admins - maybe supported by internal security experts - should be given all necessary information to decide if and how to use a requested app.

2 Likes

I agree with the comments on this thread, however, if I have no choice but to have this be shown to the user, it would be nice if the message had some more information and was a bit more humanised.

If the message had the icon of the app, the name, with the avatars of the developers, the organisation that developed the app and the purpose of the application, I believe this may help make the app seem like less of a “threat” and more of something that the user would read, and realise that this may be helpful to them.
Even something small like this could help:

This app was developed by Piet Retief and Cyril Ramaphose who are developers at Uber.
The app will help you >>>>> insert description <<<<<

On your suggestion though, if the admins could add a custom message, that says that the company endorses this application for use by the individual staff. Again, humanising it with a face of someone they trust - perhaps my managers Avatar or something like that :smiley: You won’t have my managers avatar of course, but we could have a place that we could insert it somehow - just and idea.

We live in a world of GDPR and POPI and users have become more aware of phishing as our companies make sure to drill it into us :smiley: I think there needs to be an extra level of trust, visible to the user, telling them that it’s ok to use the app.

4 Likes

David,
the “grant” dialog and process is not about anonymous users. It’s about granting a Forge app to operate and use your account and access rights and permissions.

You are presented a “grant access” dialog the first time you view or access the app, e.g. view a page containing a macro written for Forge. Instead of the expected content you’ll just a short message and a button. After clicking on that button you’ll see the “grant access” dialog telling you which app your are going to grant access and which additional rights you grant (if any).

Unfortunately you cannot control the contents of the short message in the macro neither the contents of the “grant access” dialog. So, non-technical, non-nerd, A.K.A. “business users” tend to NOT click on that button because they once were told that they should not click on buttons whose function and effects they do not know.

2 Likes

We really should make it possible for an admin to approve all users at the same time.

Looks like Atlassian are removing the prompt :slight_smile: