Hi everyone,
I’m trying to better understand how permissions for third-party (Connect) apps are handled in Jira Cloud, and I’m running into some inconsistencies.
From my understanding:
• Apps can call the REST API in app context (without a user), e.g. via ACE (addon.httpClient({ clientKey }))
• Permissions should then be governed by:
• the scopes defined in the app descriptor
• plus the Jira project permissions
When an app creates an issue, a kind of “app user” shows up (e.g. as reporter or in history).
⸻
What’s confusing:
• Previously, it seemed possible to control permissions via security schemes / groups by adding the app user to a group
• Today:
• App users are no longer visible/manageable in User Management
• “Manage users” only applies to Atlassian accounts, not third-party apps
• I cannot add the app to any group
⸻
The problem:
If I configure a permission or issue security scheme like:
Only group X can access / transition issues
→ the app loses access
But:
• I cannot assign the app to that group
• and there seems to be no alternative way to explicitly grant access
⸻
Questions:
• How are permissions for Connect apps supposed to be managed today?
• Is there any supported way to include apps in permission schemes?
• Or is the expected approach to avoid group-based restrictions if apps need access?
I couldn’t find clear or up-to-date documentation on this.
Would really appreciate any guidance or best practices here.
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.