Hi everyone,
I am trying to generate a comprehensive audit report of all the groups within our Atlassian organization. Specifically, I need a list that shows:
Every group (including legacy or empty groups that currently have 0 users).
The users inside those groups.
The Apps/Product Access assigned to each group (e.g., Jira Software, Confluence, Jira Service Management).
What I've tried so far:
UI User Export: Running a user export from admin.atlassian.com gives me the apps and groups, but it only shows groups that currently have active users assigned to them. Empty groups are completely left out of this report.
Organization API v2: I tried writing a script using the (https://api.atlassian.com/admin/v2/) endpoints (specifically /groups/search with expansions). I had generated an personal API endpoint. I have site admin role so i can access admin.atlassian.com
but when i query it via the script i get error saying "401 Unauthorized error". I was doing bearer authorization but ofcrouse my token is personal.
I can query this endpoint though using basic authentication, my email ID, site name and the api token.
{JIRA_URL}/rest/api/3/group/bulk
Why is this failing?
As a site admin can I not consume the the api.atlassian.com endpoint via basic authentication??
Do i need to get a bearer API token?
You need to use a bearer token to access the Admin API; a personal API token or basic authentication won't work. That's why you're getting the 401 Unauthorized error.
Two different auth planes, and that's the whole of it. Calls to your site host take basic auth with your email plus a personal API token, which is why group/bulk works for you. Point that same token at api.atlassian.com/admin and it dies both ways: basic gives you 401, bearer gives you 401. That host wants an Admin API key, a separate credential you create at admin.atlassian.com under Settings, API keys, and then send as a Bearer token. Worth knowing org admin and site admin are distinct roles up there too, so if that page isn't showing you anything, that's your next thread to pull.
Better news. Your three requirements don't need that API at all.
Every group including the empty ones is GET /rest/api/3/group/bulk on basic auth, the credential you already have working. It lists groups whether or not anyone is in them, which is the exact thing the UI export drops on the floor. Members per group is GET /rest/api/3/group/member?groupId={groupId}.
Product access by group is GET /rest/api/3/applicationrole. It arrives inverted, product by product with the groups listed underneath, so you flip it in the script. Cheap to do. That endpoint is Jira's own though, which means Software and Service Management land in it while Confluence access doesn't. For the Confluence half you're back at the admin API with a real key.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.