Subject: Rovo Agent Unable to Retrieve Full Atlassian users

Hi @Fatima AALLA 

Happy to help! Since you’re new to Forge, here’s the full path to get your Rovo agent pulling complete group membership plus last active data. This is the setup we use for access reviews:

Goal
Build a Forge Action that Rovo can call. The Action uses Admin APIs with pagination. It returns the full user list to your agent for analysis.

Step 1: Set up your Forge app

Install prerequisites: Node.js 18 or higher, then run this command: npm install -g @forge/cli
Log in: run forge login and authorize with your Atlassian account
Create app: run forge create, choose Rovo agent action template, name it access-review-action
Get your Org ID: Go to admin dot atlassian dot com, Settings, Details, copy your Organization ID. You will need it.
Step 2: Add permissions to manifest dot yml
Replace your manifest dot yml file with the text below. The key scopes are read colon organization-user and read colon audit-log.

Paste this into manifest dot yml:

modules:
rovo action:
- key: get-group-members-full
name: Get Full Group Membership
description: Pulls all members of a group with last active data
function: resolver
inputs:
groupId:
title: Group ID
type: string
description: The groupId from admin dot atlassian dot com Directory Groups
actionVerb: GET
function:
- key: resolver
handler: index dot handler

permissions:
scopes:
- read:organization-user
- read:audit-log
external:
fetch:
backend:
- api dot atlassian dot com
app:
id: ari:cloud:ecosystem::app/your-app-id

Step 3: Write the Action code in src slash index dot js
This handles pagination and calls 2 Admin APIs. Install deps first: npm install @forge/api @forge/resolver

Paste this into src slash index dot js:

import Resolver from '@forge/resolver';
import api, { route } from '@forge/api';

const resolver = new Resolver();

resolver.define('get-group-members-full', async ({ payload }) => {
const { groupId } = payload;
const orgId = 'YOUR_ORG_ID'; // Replace this
let allUsers = [];
let cursor = null;

// 1. Paginate through all group members
do {
const query = cursor? '?cursor=' + cursor : '';
const res = await api.asApp().requestAtlassian(
route/admin/v1/orgs/${orgId}/directory/groups/${groupId}/members${query}
);
const data = await res.json();
allUsers = allUsers.concat(data.data);
cursor = data.links && data.links.next? new URL(data.links.next).searchParams.get('cursor') : null;
} while (cursor);

// 2. Get last login for each user from audit log - 180 days back
const sixMonthsAgo = new Date();
sixMonthsAgo.setDate(sixMonthsAgo.getDate() - 180);
const fromDate = sixMonthsAgo.toISOString();

const usersWithActivity = await Promise.all(
allUsers.map(async (user) => {
const auditRes = await api.asApp().requestAtlassian(
route/admin/v1/orgs/${orgId}/events?filter=account_id eq "${user.account_id}" and action eq "login" and created > "${fromDate}"&limit=1
);
const auditData = await auditRes.json();
const lastLogin = auditData.data && auditData.data? auditData.data.created : null;
const isInactive =!lastLogin;[0]

return {
accountId: user.account_id,
email: user.email,
name: user.name,
lastLogin: lastLogin,
inactive180Days: isInactive
};
})
);

return { users: usersWithActivity, total: usersWithActivity.length };
});

export const handler = resolver.getDefinitions();

Important: Replace YOUR_ORG_ID with your actual Org ID.

Step 4: Deploy and install to your site

Deploy: run forge deploy
Install: run forge install, choose your site, product Confluence or Jira, allow asApp permissions
Admin consent: An Org Admin must go to admin dot atlassian dot com, Apps, your app, Grant access. This approves org dot read scope.
Step 5: Connect it to Rovo

Go to Rovo Studio, Your Agent, Actions, Add action
Select Get Full Group Membership from your Forge app
Prompt your agent: Use get-group-members-full with groupId XYZ. Then list all users where inactive180Days is true and create a Jira ticket for each to review access.
How to get the Group ID
Go to admin dot atlassian dot com, Directory, Groups, click the group, copy the ID from the URL: it looks like.../groups/this-is-the-groupId

Limits to know

Rate limits: Admin APIs are about 100 requests per minute. The code above does 1 call per user for audit logs. For 500 users, add delays or batch.
Audit log retention: Atlassian only keeps 180 days of login events. Anything older returns null.
App install: Must be installed by an Org Admin the first time.
The biggest gotcha is usually the Org Admin consent in Step 4. If you are not an Org Admin, loop one in.

Once this is working, your agent can finally see all 500 plus users instead of just 50.

Regards,
Hemant

@Fatima AALLA 

I'm repeating it everywhere. Answers from AI cannot be treated as deterministic. They always must be revalidated.

Some custom forge-based app should be able to handle that. Output from basic Rovo prompts will respect your Admin scopes, but at the other hand, you can't rely on it to expose all endpoints related to your permissions and call them. And from a security standpoint, it makes sense.

About pagination and limited rate output around 50 is pretty common. I've seen a couple of QA about that.

You should keep an eye on that, because Rovo is evolving on a daily basis, so what wasn't possible last month could be possible next.

Cheers,

Arek 🤠 

Hi @Fatima AALLA 

You are hitting current Rovo platform limits. I ran into the same thing building an access review agent last month.

Short answers to your questions:

1. Can Rovo call Atlassian Administration REST APIs
Not directly today. Rovo Agents can only use the tools Atlassian exposes to them. The Admin APIs like /admin/v1/orgs/{orgId}/directory/users are not exposed as built-in actions yet. You cannot make arbitrary REST calls from a standard Rovo Agent.

2. Does Rovo inherit my Organization Admin permissions
No. The agent runs with its own service identity and only gets the scopes for the tools Atlassian gives it. Even if you are an Org Admin, the agent does not inherit those rights for Admin APIs. It only sees what the built-in user search tools can see.

3. Is jira_atlassian_user_search_by_query limited to 50
Yes. That tool has a hard cap of 50 results and no pagination parameters exposed to the agent. This is a known limit. The message you saw about startAt and maxResults is accurate.

4. Does the tool expose any pagination mechanism
No. There is no cursor, offset, or nextPageToken available to Rovo from that tool right now.

5. Any supported method to get complete membership of a large group
Not with built-in Rovo tools today. You will only get the first 50 users. For groups larger than that, the dataset will always be partial.

6. Is Forge Action or custom Action the recommended approach
Yes. This is the current recommended path. Build a Forge app with an Action that calls the Admin APIs using asApp or asUser with proper scopes. Then expose that Action to your Rovo Agent. Your Forge app can handle pagination and return the full list to the agent for analysis. You will need admin consent for the org.read scope.

7. Any documented limitations for Rovo accessing Admin APIs
Yes. The Rovo docs state that agents can only access product data through supported actions. Admin directory and audit logs are not exposed yet. Organization Admin role does not override this.

8. Can Rovo get Last Seen or Last Active for all users
Not today. The built-in user tools do not return last activity timestamps. The Admin API /audit endpoint has some login events, but again Rovo cannot call it directly. You would need a Forge Action to pull audit logs, calculate the 180 day threshold, and pass the result back.

9. Is user recertification a supported use case and recommended architecture
Atlassian has mentioned access review as a target use case for Rovo, but the native tools are not there yet. Recommended architecture today is:
Step 1: Forge Action that calls /admin/v1/orgs/{orgId}/directory/groups/{groupId}/members with pagination
Step 2: Same Action calls audit or login data to compute last active date
Step 3: Action returns a clean JSON list to Rovo
Step 4: Rovo Agent does the reasoning, flags inactive users, and generates the report or Jira tickets

Observed behavior is expected product limitation, not a permissions issue on your side.

You can track this gap under the Forge and Rovo roadmap. Search for Rovo Admin API access and Rovo pagination for user search in the Atlassian Developer Community. Add your use case. More votes will push it up.

For now, Forge Action is the only way to get full group membership and last active data into Rovo.