RFC-9: Blocking Guest Access to Apps

Developer Community,

Thank you for all the great responses on the RFC. We value your feedback and want to reiterate that we are invested in this developer community. We love the enthusiasm that you all have for ensuring our customers have the best experience in Confluence. In light of this feedback, we have re-reviewed the relevant security, user experience, and partner trade-offs and we are pleased to announce that we will be changing course and allowing guests to use apps.

Our new guidelines:

  • By default, guests will be able to use all apps installed on the instance.
  • Partners have the option to opt-out if they wish (we will create a guide on how to do this shortly)
  • Guests will not be charged for app usage because app licensing is aligned with paid user licensing, and guests are not being counted as a licensed user on a customer’s instance.
  • Customers may be able to add up to 5 free guests for every 1 paid Confluence user. Guests can only collaborate within a single space in Confluence.

Guest apps will only have access a single space within a Confluence site. It is critical that all apps are applying the correct authorisation checks to ensure permissions are enforced (as per our security requirements). Please review and ensure your apps implement the correct guidelines for Atlassian Connect apps and Forge apps.

We will be following up shortly with a guide on how to identify and manage guest users, and details of how to opt-out if you elect to.

Thanks,
Morgan

14 Likes