The future of "Future of Forge versioning - permissions"

Hi @AngelinaIgnatova - Responding here because the RFC-106 thread was auto-closed:

I understand the theoretical vision of having permissions being related to app features, and while it is a good one, the reality of developing for the Atlassian platform makes practice different from theory:

The set of permissions is often a moving target, even in the presence of static application features. Disjointed teams from across Atlassian work on product APIs, and new permissions sometimes appear without warning, or permissions change on old APIs.

For example, Confluence V.2 RBAC APIs were recently introduced, and these require the new read:space.permission:confluence permission. Previously, the V.1 APIs required only read:space:confluence.

History suggests that RBAC will be made mandatory at some point and the old APIs removed, so all apps will be forced to switch.

At this point, I am not even adding new features to my app: I am required to make this change so that my app remains functional, and it will break for any admin who does not update. (What would I even name this new “feature” in my Forge manifest for your future milestones? The please-dont-break-my-app-with-rbac feature?)

This is just one recent example, but there have been a few others like this in the last year as well. I am also sure that Atlassian will continue to regularly introduce new product concepts that include new permissions, and apps will be forced to adopt these permissions just to remain in a working state.

Connect apps were somewhat insulated from these issues because the scopes were broad, but this becomes an instant problem for Forge apps. The last official word I recall was that apps must remove all Connect scopes in the next four months in order to avoid being penalized on revenue share, so apps cannot reasonably use the inherited-Connect-scopes workaround either starting in 2026. (Please correct me if I am wrong.)

I would gently suggest that this overall scenario also “does not align with customer expectations” and I hope that Atlassian would consider this in future milestones. Finding better ways to nag admins to upgrade only goes so far and you are not going to get 100% compliance.

Not every customer is the same, and while I am sure that some sensitive customers may indeed require approval for every single granular permission elevation, I suspect that there are also plenty of customers (perhaps even the majority) who would be receptive to receiving automatic updates within the same general sets of scopes (read, write, admin, impersonate, etc), perhaps after some notice period.

I can add that effectively every customer has already been operating under this model for years (with Connect) and still passing whatever audits that allowed them to use Marketplace apps.

Perhaps Atlassian could consider allowing customers to decide whether they need to audit every single permission change, or if permission “upgrades” are deemed acceptable if they remain within the existing higher-level scopes.

If this has not already been done, maybe Atlassian could also consider running a focus group or whatever to gather the data it needs to back a decision such as this? It admittedly seems unlikely that something that was acceptable (even if grudgingly) for the last 10 years has suddenly become completely unacceptable to all customers.

In short, there has to be a happy middle ground somewhere that will align with customer expectations (realizing that not all customers are identical) while also allowing app vendors to minimize headache and ship apps that actually work. As a vendor, that would be my end goal.

Hi @scott.dudley,

Thank you for raising your concerns regarding the future of Forge versioning. Apologies for the delayed response. I wanted to address some of the points you raised:

  1. Changes to scopes triggered by platform/API deprecations - we acknowledge that such changes don’t add customer value and thus can’t be surfaced as new features. Note that initially it will continue to be unclear why the changes in permissions are required, however, with subsequent milestones, you will be able to provide more clarity with the release notes which will be surfaced along with the permissions on the consent screen. In the mid to long term, we may consider enforcing certain updates after a fixed notice period if they meet strict criteria, such as deprecated scopes or APIs.

  2. Some customers prefer apps to be updated with all permissions granted - we acknowledge that a segment of customers want their apps always current. In future milestones, we may allow customers to pre-consent to permission groups or changes if an app maintains Runs on Atlassian eligibility.

  3. Customers are used to Connect’s broad scopes - I disagree. Our enterprise customers find Connect’s scopes too broad, which led Atlassian to invest in Forge. This significant change in app version management reflects insights from customer research, feedback from enterprise cloud customers, and input from data center customers evaluating Atlassian cloud and timing their migration.

scott.dudley:

apps cannot reasonably use the inherited-Connect-scopes workaround either starting in 2026. (Please correct me if I am wrong.)

Are you referring to the avoidance of manual update approval when equivalent Connect to Forge OAuth2 Scopes are used? Can you please clarify why do you think apps won’t be able to use the inherited-Connect-scopes past Jan 2026?

Hope that makes sense.

Cheers,

Agi

Hi Agi,

My read of this is:

  • Scope changes triggered by platform/API deprecations will continue to break things unless customers manually upgrade.
  • Atlassian is not planning any solutions to alleviate this issue until the medium-long term (and even then, it still may not).
  • Until Atlassian ships the ability to provide release notes along with Forge updates, vendors also cannot notify customers about why they might need to upgrade to prevent their apps from being broken.

I understand that the priorities are what they are and that this is unlikely to change; I just wanted to write this in black-and-white to make it obvious why this results in a far-from-ideal scenario for vendors and customers alike.

Well, I never said that all customers liked Connects broad scopes; I implied just that customers are used to them (and that they were seemingly able to pass their compliance checks regardless).

You mentioned “enterprise customers” a couple of times in your response, but to repeat what I wrote before:

Not every customer is the same, and while I am sure that some sensitive customers may indeed require approval for every single granular permission elevation, I suspect that there are also plenty of customers (perhaps even the majority) who would be receptive to receiving automatic updates within the same general sets of scopes (read, write, admin, impersonate, etc), perhaps after some notice period.

My ask is if Atlassian would consider running a focus group with a variety of customers (not just enterprise) to gather data on how they would like app permissions and upgrades to be handled, including examples of what happens to apps which are requesting additional permissions needed for Atlassian’s continually-changing APIs.

For example, while an enterprise org might actually have a dedicated tools admin who can monitor apps and upgrades, smaller orgs seem unlikely to have these types of resources and I think they would be far more receptive to receiving automatic upgrades, or at least a push in that direction.

The questions you ask to customers are also important. Some examples of the types of things you could ask:

  • Jira and Confluence are automatically always kept up-to-date to protect you from security vulnerabilities. Should third-party apps should be automatically updated too?
  • Are you OK with running older versions of third-party apps with potential security vulnerabilities, with vendors being unable to communicate these vulnerabilities to you through release notes?
  • Are you OK if third-party apps break suddenly due to required Atlassian API changes without notice to you, and that the vendor has no way to contact you if this happens?
  • Are you OK with provisioning third-party app access to your system in broad strokes (read, write, admin) without the need to manually approval granular access changes (read access to blog posts, read access to pages, read access to whiteboards, …)
  • Would you be willing to accept app permission upgrades that are performed automatically, if not manually accepted or denied within a limited review period of X weeks?

I am led to believe that I can currently use a Connect-on-Forge app and declare scopes like read:connect-confluence, allowing me to later add other related read-type scopes in subsequent updates for “free” (without requiring admin approval). Is my understanding correct?

If so, I believe that Atlassian has also stated that including any Connect-type scopes in the manifest will disqualify an app from receiving the revenue share for a “pure” Forge app as of 2026-01-01. This means that merely including such a scope (which would otherwise be a good way to prevent FTC) would cut an app’s revenue by 25%.

So, technically, nothing is stopping apps from using these inherited scopes in 2026 to prevent customer problems, but the decision from the business team effectively turns this into a dead end.

Hey @scott.dudley, wanting to add some clarity to this.

The intention of scope inheritance when moving from Connect to Forge is to support apps in being able to move entirely from Connect to Forge without facing a major update, as long as they do not elevate permissions along the way. It is not a mechanism for long-term scope modifications.

With that said, I am hopeful that the underlying platform capabilities utilised to deliver this can be leveraged longer term to reduce or eliminate friction from other changes involving scope changes (such as the Confluence API changes).