When planning how your teams will use Zapier, one of the most important decisions is how you'll handle apps across your organization. You have two main choices: an open apps policy (where apps are allowed by default) or a closed apps policy (where apps are restricted by default). An open policy lets team members quickly adopt and change the apps they connect with Zapier. A closed policy ensures tighter control by only allowing a small, carefully curated list of apps to be used.
You can use app access settings to control which apps members of your Enterprise account can use in Zaps and Agents. Choose between restricting apps (an open policy) or allowing apps (a closed policy). By the end of this article, you'll understand how app access policies work, the differences between restricted and allowed apps settings, and how to choose the right policy for your organization.
Available on plans:
Free
Professional
Team
Enterprise
How it works
When you enable either the restricted apps or allowed apps setting, you'll create a list of restricted or allowed apps depending on your settings:
Restricted apps (open policy)
Members can use any app on Zapier unless it's on your restricted list. App access is open but with restrictions. This setting is enabled by default.
You can:
- Add restricted apps.
- Add member or team exceptions.
Allowed apps (closed policy)
Members can only use apps on your allowed list. App access is closed except where you've allowed access.
You can:
- Add allowed apps.
- Prohibit specific actions in an allowed app.
- Add member or team exceptions.
Members will no longer be able to publish any new or edited Zap that includes a prohibited app, and Agents that use a prohibited app may not run as expected. They will see a notification that the app is prohibited. If an existing Zap includes a prohibited app, it will remain on but steps that use the prohibited app will be held when the Zap runs. When a member views the Zap run details, they will see a notification on the step run indicating that the step was held due to the restricted app. They will not be able to replay the step as long as the app is prohibited.
You cannot have both settings enabled simultaneously.
Why manage app access?
App usage in Zapier is driven by your day-to-day business processes (like "quote to cash" or "lead routing") which remain relatively consistent. However, the tools you use to perform these steps evolve as your company's tech stack changes.
Your app access policy should balance three factors:
- Speed and innovation: How quickly teams can adopt new tools and experiment.
- Security and compliance: How well you control data flows and maintain regulatory requirements.
- Governance: Who approves new tools and how oversight works.
| App access setting | Pros | Cons |
|---|---|---|
| Restricted apps |
|
|
| Allowed apps |
|
|
How to choose your app policy
Planning how your team will access and use apps through Zapier is crucial to scaling your automation strategy. Follow these steps to determine which policy is right for your organization:
1. Understand your business processes
Processes like "quote to cash" or "lead routing" have fundamental steps that remain consistent: capturing information, approving or assigning items, and moving them through a pipeline. The tools used in these steps can vary and may shift as your company's tech stack evolves. When evaluating your app policy, consider how tightly these processes need to be controlled.
2. Evaluate your organization's approach to innovation
Assess how quickly your teams need or want to adopt new tools. If your organization embraces citizen development where individual teams or power users can adopt new tools quickly, an open policy may be more suitable. If you work in a highly regulated or compliance-oriented industry, you might prefer a closed policy where every app must be explicitly allowed.
3. Determine your compliance requirements
Assess your industry's or organization's compliance and security needs. Heavily regulated fields, like financial services or healthcare, often require strict approval flows. A closed (allowed apps) policy is useful here because, by default, employees cannot connect apps unless they are approved and added to the allowlist. For fields with moderate compliance requirements, and where faster innovation is more important, an open (restricted apps) policy with Zapier's built-in approvals feature may strike the right balance.
4. Plan your app policy structure
Once you've identified your general approach, set up your app policies in Zapier.
5. Verify your policy with approval flows
No matter which policy you choose, you can use Zap approvals to add an extra governance layer. This allows open experimentation while maintaining oversight: team members create Zaps freely, but admins review before Zaps publish and run.
NoteOver time, your needs may change. Many organizations start with an open policy and gradually tighten it as they learn which apps are used most frequently. Others begin closed and gradually allow more apps as they gain confidence in their processes.
If you add Quickbooks to your restricted apps list, you can add an exception for your accounting team. This will give your accounting team access to Quickbooks, while the rest of your account will still be restricted from using the app.
Planning how your team will access and use apps through Zapier is crucial to scaling your automation strategy. By choosing an open policy, you support quick experimentation and innovation with minimal friction. This is ideal for organizations embracing citizen development. A closed policy gives you tighter control and helps support compliance in industries that need more stringent oversight.
No matter which approach you choose, Zap approvals can add another layer of governance so you can fine-tune your workflows, maintain security, and keep your automation strategy aligned with your organization's goals.
Switch between app access policies
You can switch between restricted apps and allowed apps at any time. However, switching policies can impact your existing Zaps and Agents.
What happens when you switch
From restricted apps to allowed apps
- Any published Zap that uses an app not on your allowed list will remain on, but steps using that app will be held when the Zap runs.
- Agents that use an app not on your allowed list may not run as expected.
- Members will not be able to publish new or edited Zaps that include apps not on the allowed list.
From allowed apps to restricted apps
- Zaps and Agents that previously used prohibited apps can run again, unless those apps are now on the restricted list.
- Any held runs from the previous policy can be replayed as long as the app is now permitted.
Before you switch
To minimize disruption to your workflows:
- Identify affected Zaps and Agents. Review your Apps page to see which apps are connected and used in Zaps and Agents across your account.
- Prepare your new app list. If switching to allowed apps, add all the apps your team currently uses to the allowed list before completing the switch. If switching to restricted apps, review which apps should be restricted.
- Communicate with your team. Let members know about the upcoming change and any apps that will be impacted.
- Plan for held runs. After switching, monitor your account for held Zap runs and Agent issues. You can replay held runs once the affected apps are permitted under the new policy.
App access policies affect both Zaps and Agents. When planning a policy change, review both your Zaps and Agents to ensure all workflows continue to run as expected.
Next steps
Now that you understand how app access policies work and how to choose the right policy for your organization, you're ready to configure your settings.
- Configure app access settings for your Enterprise account to set up restricted or allowed apps
- Learn about Zap approvals to add governance to your workflows
- Review user roles and permissions to understand who can manage app access settings