RFC-101: Forge Billing - Developer Space Roles and Permissions

RFCs are a way for Atlassian to share what we’re working on with our valued developer community.

It’s a document for building shared understanding of a topic. It expresses a technical solution, but can also communicate how it should be built or even document standards. The most important aspect of an RFC is that a written specification facilitates feedback and drives consensus. It is not a tool for approving or committing to ideas, but more so a collaborative practice to shape an idea and to find serious flaws early.

Please respect our community guidelines: keep it welcoming and safe by commenting on the idea not the people (especially the author); keep it tidy by keeping on topic; empower the community by keeping comments constructive. Thanks!

Summary of Project

• Publish : July 24, 2025
• Discuss : Aug 1, 2025
• Resolve : August 8, 2025

Context

Hi everyone,

• In this video, I explain what is a Developer Space and how you could group multiple apps under developer spaces for invoicing. I also focus on the roles and permissions, particularly the responsibilities of Developer Space Admins.
• Additionally, I covered key aspects of billing management and billing admin role.

Screenshot 2025-07-28 at 6.33.51 PM1686×1370 323 KB

Please share your feedback on:

• Whether the proposed Developer Space Admin role aligns with your needs.
• Whether the proposed Billing Admin role aligns with your needs.
• If there are additional roles or permissions you believe are necessary.

Your feedback is essential as we finalise the roles and ensure they support your workflows effectively. You could share your feedback in loom or via this post’s comments.

Thank you!

Hi @ChandanaMeka

Thanks for the RFC and taking the time to use Loom instead of writing it all out, makes it easier for me to digest.

I’m only a small vendor so the different roles for me now is overkill since I’ll be the only one taking all the roles. I can see benefit for bigger vendors, but will let them form their own feedback.

I do have feedback on the method of given feedback to you. I’m not a big fan of private channel feedback for a public RFC, having others submit feedback using a private form can leave discussion in the dark, and may not be fruitful for all.
I do understand adding this option as RFC feedback in the past has been passionate from time to time.

Cheers,
Mark

To save everyone else the trouble, here’s a copy-and-paste of the AI transcript of the vide:

0:00

Hi everyone, this is Chandana, and I’m currently working as a product manager in the Forge team, mainly looking into the Forge Billing project.

0:08

As you all know from January 1st, the Forge’s resource usage would be counted towards Billing, and the first invoice would be generated for each developer space from February.

0:18

So as part of that we have already released cost dashboard and cost estimator along with the final pricing blog, and our next milestone stone is going to be developer space.

0:28

This developer space is very essential to generate the invoice and I’m seeking feedback from the community around the roles and permissions that we are planning to introduce at the developer space level.

0:39

Now these roles are on top of the existing app specific roles which currently exist like developer deployer viewer and all of that.

0:48

These are in addition to those app specific roles but at a developer space level. Now before going into the feedback I will share a brief on what is a developer space how can apps be associated to a space and what happens in the finance side of Now each developer space is a accumulation of all the apps

1:09

associated. already marketplace partners would vendor profiles they would automatically become developer spaces we are handling that mapping and all the marketplace apps were automatically be associated to that particular space.

1:24

Now to the same space you could allocate all your non-market place apps as well or you also have the freedom to create new spaces and allocate apps to those spaces as well.

1:35

So developer space is just a higher level hierarchy which you could group apps to the right spaces. So now how you could assign apps to a particular space, you would start doing it with a forge create or a register for all your new apps.

1:52

You could associate to a space that you are an admin of or you could even create a space and become a developer space admin of that space.

2:00

For already existing non market place apps, you would have a option in the console to assign it to the This is a view of all the apps and all the spaces that you’re part of.

2:12

You could also filter to a specific space and view all the apps that Yeah, so this is how the edition would look like at a developer space level for the rules.

2:24

Similar to how app specific roles work. we would be introducing developer space specific roles and you could add people to that space.

2:34

Now I’ll be walking everyone through the developer space roles and permissions we are planning. So the first person who creates the developer space becomes a developer space admin automatically.

2:48

They can go and add further more developer space admins to the developer space. And for already existing vendor profiles, what we will do is we will make all the admins over their automatically as the developer space admins.

3:06

So now what can a developer space admin do? Yeah, I’ll come to the app management side of things like you could add users to specific developer space roles.

3:18

You could create four jabs into the space. You could also assign unlinked non-marketplace apps into the space that you’re an admin of.

3:28

You could initiate the transfer of all these non-marketplace apps from one space to the other automatically from the console for marketplace apps or the existing ticketing mechanism would continue.

3:42

Developer space admins would automatically become the admin of all the four apps as first step that is what we are planning to release and I’m happy to seek feedback on if the community is okay in making them the app owners as well like as in they’ll be getting the app owner permissions as well which

4:01

is nothing but an additional three permissions which is delete the app if there are no installs transfer the app internally from one contributor to the other and yeah these are the main permissions that I’m seeking feedback on if The community feels the developer space admin should get inside an app

4:20

along with the app admin rule that we are anyways planning to release soon. Of course, deleting a developer space when there are no apps in it, you could also edit the developer space metadata such as name and logo.

4:34

You could also view the audit logs of 14 members or apps as well when an app got added and all of that, you would also get additional permissions if any from the marketplace site, which you already have in the vendor profile.

4:48

Currently we will migrate all those permissions as well. Now coming to the billing side of things, so consider a fresh developer space.

5:00

And the first person is going to create the app in the developer space that they are an admin of right as a because it’s a fresh space whoever creates the space becomes an admin and they’re also creating an app.

5:13

So what happens is when the first app is created by the first person they become a billing admin. So what can a billing admin do?

5:23

They can view all the invoices in the billing account. So for each developer space what we are applying to do is we will give a dedicated And in the billing account, you would be able to see all the apps that are part of the developer space.

5:39

You would be able to see the next bill estimate and the next bill date as well. Quotes is not relevant to forge, but billing profiles.

5:50

Yeah, a billing admin would be able to see everything here like the different invoice groups, which means different payment methods and the different apps associated to different payment methods could all be viewed here.

6:03

Yeah, a billing admin would be able to see all the payment methods associated to the developer space. Be it card, PayPal, ACH, Addresses, build to and ship to addresses would be able to be seen here.

6:20

Billing permissions is where the all the admins can be seen as well as there would be option for billing admin to add further more admins here as well.

6:31

There is another section called invoices wherein the monthly invoice could be accessed for all the apps in the space. So we will be providing a dedicated transaction account for each developer space and we will provide the hyperlink from the developer space itself.

6:55

So this is a view that could be accessed from the console. This will entirely be redirected to a billing account.

7:02

So I am seeking feedback on the following. So except the first person who creates an app and becomes a developer space admin and a billing admin, all the others would have of this permissions.

7:21

Like they will not be able to see the invoices, they will not be able to see the payment methods, addresses and all of that, but they could definitely see all the apps in the developer space and they could also view the billing admins and the billing account.

7:34

In order to get this billing admin permission, the first billing admin who has been there in the developer space would have to add others explicitly in the billing account so that they would get add-on permissions of all of these as well.

7:52

So I wanted to get feedback from the community on is this suiting to your use case is everyone okay with one person being a billing admin to start with and they will add further more people as billing admins to the billing account as they wish.

8:18

. Like what are further more roles and permissions you expect for a developer space? We are adding these additional roles to ensure that there are more controls around who is adding app to your space, right?

8:29

because each app would start getting cost incurred and it becomes important to put some gates at the developer’s base level.

8:36

So yeah, please feel free to share your feedback around this and I’m happy to get back on the revised roles and permissions based on the feedback.

8:45

Thank you.

Thank you, @markrekveld, for your feedback.

I have removed the Google Form link. To maintain transparency, I did not receive any responses through the form; thus, all feedback is accessible via the community or Loom.

Thanks, @ChandanaMeka!

We have a concern regarding the Developer Space Admin automatically assuming the App Owner role for all apps within the space. The App Owner role includes sensitive permissions, such as deploying to production and configuring production environment variables. Granting a single user this level of access across multiple apps poses a significant security risk.

Our general feedback to Atlassian regarding the current security model is that these high-risk permissions—specifically, production deployments and setting environment variables—should not be tied to any default role. Instead, they should be assigned explicitly to individual users through advanced permission settings. Extending these capabilities to Developer Space Admins by default would only exacerbate the issue.

Hi @PetarPetrovAppfire,

Our vision is that developer space admins are the super admins of all apps within their space. With the admin role in all the apps, developer space admins have visibility into app costs and the ability to manage and control those costs as necessary.

We view developer space admins as trusted members within the organisation. If these admins lack visibility or control over the apps in their space, it could introduce both operational and governance challenges. Additionally, the current model of single ownership for Forge apps presents limitations that we believe can be mitigated by broader administrative oversight.

To maintain security and governance, we strongly recommend that developer space admin roles be assigned only to trusted individuals within the company.

Let us know if you have any concerns. I am also happy to set up a call to discuss further.

Best regards,
Chandana

Edit: Replacing my initial response after rewatching…

Yes, there are definitely additional roles that are necessary. For example, a Developer Space “Viewer” role.

However, it seems that maybe you are already planning some other basic roles? The screenshot shows an “Add users into developer space roles” permission, and you briefly mentioned something about “all the others” being able to “see all the apps in the developer space”.

Can you please elaborate on the other roles you are already planning? That would make this question easier to answer.

P.S. - I, too, appreciate the Loom. It was more meaningful (to me) than a super-long summary. Perhaps next time, include a brief “executive summary” in the RFC description, and it might be a very good balance.

Out of context when I saw “Developer Space” I assumed it was a workarea in confluence for an individual developer. With Confluence Spaces and the upcoming? Jira Projects rename to Spaces, the term “Space” is already heavily used in Atlassian.

If I understand correctly, this new construct is a container for management, organization and security and usage billing for Forge Apps. Is your team set on using “Developer Space” in the terminology. Would you consider using another term?
Something in the vein of (Forge) App Collection or App Group might be more clear?

Just a thought… maybe I’m the only one who found Developer Space confusing.
Chris

Hi @AaronMorris1,

Thank you for your input.

At this stage, I’ve planned for two roles: Developer Space Admin and Billing Admin. Based on feedback, we’ll plan to introduce more roles as needed.

Members with the Developer Space Admin role can add other Developer Space Admins. The mention of adding users to developer space roles was intended to ensure that any future role additions can also be managed by these admins, including assigning users to newly introduced roles.

I’ve taken your feedback on the executive summary—completely agree. For members who prefer quick overview, I’ll make sure to include a concise summary section going forward.

Glad to hear about the Viewer role. Just to clarify—does this role grant full read-only access, including drill-down visibility into all apps across the developer space? I’d appreciate a bit more detail to understand the boundaries of this role. I’ll discuss it with my team and then present a proposal for the Viewer role to the community in a few days.

Thanks again,
Chandana

@ChandanaMeka – Thank you for the clarification! To answer your question:

Yes, I would want a “Viewer” role that allows a user to see a list of all apps in the Developer Space, view basic details about each app, and view a list of people/roles assigned to each app.

I would also want a “Developer” role that has viewer permissions and can also create apps in the Developer Space and associate existing apps with the space.

Context:
I envision using a Developer Space to represent a real-world development team responsible for multiple apps. Some helpful use cases are:

• A senior developer is assigned to prototype a new app idea. They should be able to create the app directly inside the developer space without an admin’s help.
• A senior developer starts a new app outside of the Developer Space. They should be able to transfer it without the admin’s help.
• A new team member is tasked to fix a bug in App X, but they haven’t been added to it yet. They should be able to find App X in the space and see who is already assigned so they can ask for help.

Basically, my experience from managing similar operations in Bitbucket/GitHub is that it’s super helpful to empower senior developers to help manage the development team without needing to make them super admins.

Wishlist:
Allowing the Developer Space Admin to choose to manage app roles at the space level. (For example, hire a new senior developer, and they automatically have deployment permissions across all apps in the space. Hire a new tester or support engineer, and they automatically have view permissions across all apps. And so forth.)

This would model how teams this size already manage Jira and Bitbucket permissions.

Hi @ChandanaMeka! Thanks for the RFC.

Addressing @PetarPetrovAppfire’s points, the concern is about being able to have controls in place, and being able to separate concerns within our organization. Individual organizations have different staffing levels and responsibilities lie in different places. We’re asking (here in this response and in this doc) for the ability to manage this access.

Hi all, thanks for the feedback!

We’re updating the permissions for the Developer Space Admin role. Instead of automatically assigning admin or owner access across all apps in the space, Developer Space Admins will now be granted viewer access to all apps by default. We are going ahead with the principle of least privilege for the launch.

If a Developer Space Admin already has elevated permissions—such as developer or deployer—on specific apps, those roles will remain unchanged and will not be overridden.

@AaronMorris1 — thanks for your input!

As we work toward unifying roles across the Developer Console and Marketplace with the Developer Space construct, we’d appreciate your thoughts on the appropriate Marketplace permissions for the Developer Space Viewer and Member roles.

• Do you believe they should be granted basic permissions on the Marketplace side?
  • If yes, what specific permissions do you think make sense?
  • If not, we’d like to understand your perspective.

Thanks,
Chandana.

@ChandanaMeka - No, I wouldn’t expect any automatic permissions to be granted in the Marketplace vendor account based on roles in a developer space. Unless you’re changing how vendor accounts are managed, too. Otherwise, I’m not sure any correlation could be assumed.

Thanks for this RFC @ChandanaMeka ,

I’m on the same page as @AaronMorris1 here. While there might be a lack of other roles in the Developer Space, I think this is a good approach for managing a group of company apps as we prepare for Forge billing next year.

The problem we usually face is that whenever we need to add a new person to our Forge apps, we have to set permissions one by one. Now, with this Developer Space, we can handle it all at once, right? That makes these bulk operations a really great feature.

Have a nice day.

Hi everyone,

Thanks a lot for the feedback. We have revised the roles based on the feedback received. The role names are not yet finalised. For the immediate launch planned for early September, we will be releasing the developer space admin role. Incrementally, we plan to release other roles. I have created an FRGE suggestion ticket for the community to provide feedback on the developer space roles. Jira

Now, with this Developer Space, we can handle it all at once, right? That makes these bulk operations a really great feature.

Yes @alvaro.aranda, that’s the vision. Developer space roles will help with bulk additions of members to the apps. In the proposal, we will be adding everyone as viewers as default setting.

We plan to provide user groups as a feature in the future to selectively add people to different roles in different app combinations seamlessly.

Screenshot 2025-08-19 at 8.35.04 PM1826×1144 284 KB

Once again, thanks for the inputs.