Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

What level of Admin role is needed for Operations Terraform Provider?

Sören König
Sören König June 25, 2025

Hi I am trying to use the Terraform provider to programmatically manage Atlassian Operations / Jira Service Management (Cloud). I want to create a dedicated user for issuing the necessary API token and to adhere to the principle of least privilege, I wanted to know what level of admin role this dedicated user would need to create the resources the provider supports. The docs of the Terraform provider only state "This must be an admin account." [1].

I read on https://support.atlassian.com/jira-service-management-cloud/docs/work-with-operations-global-admin/ that there are two types in JSM: Product admin and Operations global admin. So my question is: What admin role does the user who issues the API token for the Terraform provider need to have?

Thanks in advance!



Answer
Watch
Like Be the first to like this
934 views

1 answer

0 votes
Christos Markoulatos
Christos Markoulatos June 26, 2025

I’m not familiar with Terraform, but from what I understand, if you want to use the Terraform provider to manage Jira Service Management Cloud, especially the operational features like teams, alerts, schedules, and integrations, the API token you use must come from a user with admin privileges for those operations. There are two roles that qualify, Operations Global Admin that can manage operational features within Jira Service Management Cloud such as teams, alerts, schedules, and integrations and Jira Product Admin that has all the Operations Global Admin permissions plus full admin rights across Jira.

Because as far i can tell Terraform manages operational resources, the user needs to be at least an Operations Global Admin. Having Jira Product Admin rights also works but gives more access than necessary.

Also, API tokens reflect the permissions of the user who created them. There aren’t special system tokens, so the best practice is to create a dedicated service account with the proper admin role and use its API token. Keep in mind that API tokens expire after one year, so you’ll need to rotate them regularly.

Hope this helps!

View More Comments
Sören König
Sören König July 9, 2025

Hi Christos, thanks for your response.

Just as a feedback: I have created a dedicated user and it was assigned the role 'Operations Global Admin', but this user still can't create a new team.

When I try to create a team as this dedicated user via the web UI, I get the error message "We can't create your team
You don't have access to create teams in this organization."
Also, when using this user's email and unscoped API token I get an error even trying to access it's own ID.
Terraform manifest:

1 terraform {
2 required_providers {
3 atlassian-operations = {
4 source = "registry.terraform.io/atlassian/atlassian-operations"
5 version = "1.1.7"
6 }
7 }
8 }
9 
10 provider "atlassian-operations" {
11 cloud_id = var.cloud_id
12 domain_name = var.domain_name
13 email_address = var.email_address
14 token = var.token
15 }
16 
17 data "atlassian-operations_user" "self" {
18 email_address = var.email_address
19 }
20


Error:

data.atlassian-operations_user.self: Reading...

Planning failed. Terraform encountered an error while generating this plan.


│ Error: Client Error

│ with data.atlassian-operations_user.self,
│ on main.tf line 17, in data "atlassian-operations_user" "self":
│ 17: data "atlassian-operations_user" "self" {

│ Unable to read user, got an empty response. This could be due to invalid credentials or no user being found for the given email address


So the role 'Operations Global Admin' is definitely not sufficient to create teams in Jira Service Management Cloud.

My follow-up question would be: what additional permission or role does a user need to create at least teams?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Opsgenie
Opsgenie
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security