Why am I getting "Access to the resources was denied due to missing scope"?

Hello Saravana,

Matt from Cloud Support, primary Confluence! I was chatting with some of our social teams and they asked me to take a look at this. I recently went through the process of figuring some of this out myself, so I am happy to share the knowledge where I can!

Based on your description, and the screenshot provided, it looks like you’re trying to:

• pull group information from your Confluence site.
• See which users are part of specific groups. 

Considerations:

You won't be able to work with Product groups at the organization level with the Cloud Admin API. The Atlassian management system is arranged similarly to how permissions/restrictions work. Within an Organization, you may have multiple sites, composed of different Atlassian product instances. All of these sites share the organization's user-base, however groups currently are managed at the site level.

Getting Started

Pulling a list of all groups from the Confluence Cloud REST API

- Documentation: https://developer.atlassian.com/cloud/confluence/rest/v1/api-group-group/#api-wiki-rest-api-group-get

1. First things first, we need a product level API key! You can find instructions on generating one of these in the reference panel below: [1] - Generating an API Key at the product level. 
2. Now that we have an API key for the products, lets hit just the group endpoint with a GET request! I'll be using Postman to demonstrate this. 
   1. Open PostMan
      1. Select, GET and Enter the API endpoint url: https://[yoursite].atlassian.net/wiki/rest/api/group
         1. Make note to replace "[yoursite]" with the name of your site. 
      2. In Postman, under authorization 
         1. Select Basic Auth - see [2] - Product REST API Authentication 
            1. Enter your email address in the username field
            2. Enter your API Key generated in step 1 in the password field
         2. This should be all we need for now. Go ahead and hit SEND in postman. You should get back a response body with all the groups you have access to on your site. 
            1. Nested within the response body should be the ID(s) of all the related groups. 
      3. Below, you'll find a de-identified screenshot demonstrating my Postman setup from the instructions above. 

Pull Users via a group name

- Documentation: https://developer.atlassian.com/cloud/confluence/rest/v1/api-group-group/#api-wiki-rest-api-group-groupname-member-get

After following the steps above, we should have gotten a list of groups with self-identifying links we can use in the response body to get a list of the users in the group: 

1. Grab a group name from the response body, or one you already have. 
2. Change your request URL: 
   1. from: https://[yoursite].atlassian.net/wiki/rest/api/group
   2. to: https://[yoursite].atlassian.net/wiki/rest/api/group/[groupname]/member
      1. EX: https://matt.atlassian.net/wiki/rest/api/group/administrators-matt/member
      2. This should give you a response back containing the users that are in the Confluence groups. 

I hope this helps! Please let me know if you have any questions on the information above, or if you're getting stuck somewhere along in the process. 

- Matt

----

References

[1] - Generating an API Key at the product level.

1. Create an API token from your Atlassian account:
2. Log in to https://id.atlassian.com/manage-profile/security/api-tokens.
3. Click Create API token.
4. From the dialog that appears, enter a memorable and concise Label for your token and click Create.
5. Click Copy to clipboard, then paste the token to your script, or elsewhere to save for later

• NOTE: once you have exited the dialog you won’t be able to view the API Key again, so make sure you store it in a safe place
• NOTE: Never share this API key with anyone!

[2] - Product REST API authentication

Officially, basic authentication via the REST API, user@example.com:password has been deprecated. Instead what you will need to do to authenticate is by replacing your account password in the basic auth header with the API Key generated in Reference block [1] above.