Summary

The Bamboo Allowlist feature allows the Administrator to control inbound and outbound traffic to and from the Bamboo instance based on several URL types and criteria.

When adding a new entry to the Bamboo Allowlist, you may notice that selecting the "Allow Incoming" option automatically enables the "Allow Anonymous Users" option as well. There is no way to disable anonymous user access without also turning off the "Allow Incoming" option.

Solution

Upon registration, the Allowlist feature in Bamboo automatically grants the application authenticated outbound access to the registered URL. If customers require additional anonymous outbound access, they can select the "Allow anonymous access" option and save their configuration. This will enable the necessary outbound traffic based on their defined scope. No incoming traffic is enabled at this stage.

The Allow Incoming checkbox enables CORS requests from the specified origin. If incoming access to the Bamboo server is needed from an external endpoint, such as an Application Link or a WebHook initiator, the Allowlist can't enforce authenticated traffic. This limitation arises because authentication may occur at a later stage, beyond the initial scope of the Allowlist. Consequently, the "Allow anonymous access" checkbox is automatically selected in such cases.

Please refer to the table below for details on what to expect from each combination of Allowlist configurations.

URL/Expression	Allow Incoming	Allow anonymous access	RESULTS	Granted Outbound	Granted Incoming	Granted Anonymous access
URL			→
URL
URL