App management and integrations

Available on the Asana Enterprise+ tier, as well as legacy tier Legacy Enterprise.

Visit our pricing page for more information.

App management provides organization super admins the ability to monitor and control the apps, personal access tokens (PATs) and service accounts that are active in their domain.

Related articles

Division admins and non-super admins won't have access to this feature.

Super admins can self-serve the following in the admin console:

  1. See connected apps and access app insights
  2. Block certain apps from being used by users in the domain
  3. Place a domain in 'approval mode' where no apps are allowed unless explicitly approved by the super admin
  4. Manage service accounts
  5. Allow or disallow the usage of PATs in the domain
  6. Allow or disallow rules from being triggered by web requests from external services

If you have additional queries around feature blocking or controls, please reach out to your Customer Success team contact or Asana Support.

Learn more about service accounts.

Viewing connected apps and app insights
Viewiwng connected apps in admin console.png

  1. Navigate to the admin console
  2. Click Apps
  3. Click Manage apps
  4. Navigate to the Connected apps tab. You'll see a list of all the apps connected, their last activity and active members.
  5. Click Export CSV for a list with user specific activity. The list includes user email addresses, how many times they've used the app in the last 90 days, and the last date they've used the app. The CSV file will be emailed to the admin who exports it. 

About the app.png


Clicking on the app will show you:

  1. Brief description of the app if available
  2. The developer and support or privacy policy links the developer may have supplied
  3. Recent usage stats
  4. Permissions granted to the app

Global app settings

Screenshot 2024-04-30 at 13.32 1.png

A super admin should decide how they want to manage apps. There are 3 main modes of control.

Allow all apps (default)

Admins can manage a list of blocked apps, otherwise all apps can be used by default

Require app approval

Admins manage a list of approved apps. Apps cannot be used unless it is on a list of approved apps.

External automation permissions

Admins can allow or disallow rules from being triggered by web requests from external services.

If an organization is in "require app approval" mode, and a guest using an app that is not approved joins the organization, the app will be blocked from working and the guest will be notified by email.

Blocking apps

block
  1. Navigate to the apps page of a specific app from the Connected apps page
  2. Click Block app

This will prevent all users in the domain (members + guests) from connecting and using these apps. Existing users may see errors and the app may cease to function. For users in multiple domains, the block will prevent them from using the app in any of their domains

Unblocking apps

Navigate to the apps page of a specific app from the connected apps page Click the Unblock button. If your organization is in “require app approval” mode (see below), you will unblock by approving the app instead.

Once blocked existing users may be required to re-setup/reauthenticate depending on how the app behaves.

App approvals

approval message

If the organization is in the “require app approval” mode, users will be prevented from connecting any apps that are not on the approved list which super admins can manage. Users will instead see a message with an option to request admin approval.

email


If the user clicks Send request, an email will be sent to the desired email addresses as configured on the global app settings page. By default this is all super admins but can be configured.

The admin will receive an email similar to the above example. Clicking Manage app in Asana will take the super admin to the app details page to approve the app.

approve

The requesting user will also receive an email letting them know that their admin has been notified. The user’s email address is also included in the app request email. We recommend having a process in place to monitor requests that come in and/or notifying users on what the next steps may be depending on how your company handles this.

app approval requests

Organization admins can view a list of all apps that have been requested. To view all approval requests:

  1. Navigate to the Admin Console and click on Apps in the left bar.
  2. Select Manage apps and choose the Approval requests tab.

Managing personal access tokens

personal_access_tokens.png

Personal access tokens (PAT) can be used by users in the organization to create their own scripts and automations. PATs have access to whatever the creator has access to. A list of active personal access tokens that have access to your organization, the user that created it, and the last time the token was used in your domain can be viewed on the Personal access token page.

Admins can revoke personal access tokens on demand by clicking the Revoke button. Once you revoke a PAT, the token will be deleted and can no longer be used. The developer who created the token will receive an email letting them know their PAT has been removed.

enable

PATs can be turned off or on for the domain from the Global app settings page.

Turning off PATs will cause all existing personal access tokens belonging to users in their organization to be revoked and blocked. This may cause disruption to users so super admins should let users in their organization know before this is done.

Set default expiration for personal access or service account tokens

Super admins of Enterprise organizations can set a default expiration date for all personal access tokens or service account tokens that users create in their organization.

Tokens have a default expiration of 10 years. However, super admins of Enterprise organizations can set tokens to expire within either 30, 60 or 90 days.

How can I change the default expiration date?

  1. Navigate to the Admin Console and select the Apps tab.
  2. Under Global App Settings you will find two options for setting expiration times under Token expiration.

Additional notes:

  • If a new option is selected, all existing tokens will have the new expiration policy applied.
    • For existing tokens: if an expiration date of 30 days is selected, tokens created in the past will be set to expire 30 days from when the policy is set. 
    • Newly created tokens: all newly created tokens will be set to expire 30 days after they are created. 
  • If a member with existing tokens is added to your organization (like a guest), those tokens will expire immediately. 
  • If an expiration date is set, developers will get a warning 7 days before their token expires along with a warning when the token expires.
  • If the token expiration is set to 30 days and is then extended from 60 or 90 days, or back to the default, the token will expire within the original 30 day policy. Asana will not push the token dates out. The expectation is that the strictest expiration setting will apply and newly created tokens will follow the new policy’s expiration date. 
  • However, if an expiration date is reduced, (from 90 days to 30 days for example), the token will expire based on the stricter, 30 day expiration.

Restrict guests from using the API

Admins and super admins of Enterprise+ organizations can restrict guests from using the API for apps and personal access tokens.

To turn this setting on or off for guests, admins and super admins should follow these steps:

  1. Open the admin console and select Apps from the menu
  2. Choose App settings
  3. Under User permissions, find the two options for API permission settings
  4. Toggle settings for apps and personal access tokens to restrict or allow guests to use them

Was this article helpful?

Thanks for your feedback