The Dark Side of JIRA Administration: Have You Crossed the Line?

As much as possible, we will prefer using ScriptRunner to do bulk updates via the Jira SDK and groovy scripts.

It is risky to do direct database edits because the relationship is complex and Jira is very extensible with plugins. It is not a trivial task to understand the data usage and design assumptions of each and every apps installed in the system.

The most scary problem is it is ok during testing/verification, but the error surfaced only after a few months. It could mean data patching or data integrity or even data loss.

One way to reduce the risk is to countercheck with Atlassian.
They do provide a number of SQL scripts for patching in the Confluence KB.

Another question that popped up is how does Jira Cloud users tackle similar issues?

They do not have access to the database and Jira logs.

So is database manipulation really necessary?

If possible, I try to use database access only to get the relevant information and use the methods of the Jira class libraries via Scriptrunner for data manipulation.

In rare exceptional cases (moving users between directories) I have done this through direct database manipulation using stored procedures. Whereby I check and ensure data integrity during the changes.

All operations are verified intensively on test environments before run the changes in production.

Count me as another vote for the wonders of Adaptavist's Scriptrunner utility.  Saved my bacon a significant number of times. 

Atlassian does have advice on a number of database modifications that can be done using example scripts from their documentation, many of which I have had to do at least once.

Though I do have one "Forbidden Jira Administration" technique - our users use Jira to track ALL of their time, and there are a couple of shared cards that have MASSIVE numbers of worklogs attached to them (one had over 10,000 at one count).  I have had zero success enticing users to stop doing it, so my forbidden technique involves taking the worklogs in blocks of 1000 and changing the card they are associated with using direct database modification. 

We need to disable accounts after ninety days of inactivity.  Although, we don't directly change the database, we do query the database for last login dates.

Seems like a good start of the Anarchists Cookbook for Jira. 

I don't think I have anything too controversial to list, mainly use the DB for read-only maintenance tasks such as:

• Deactivating inactive accounts
• Find users without avatar pictures and syncing them from Slack
• Automatically archive projects if they have the word Archive in them
• Delete asset log history directly in the DB
• Clean-up invalid inactive/assignees on Service Desk portals
• Finding & Scrub PII information from tickets

I also do some light-weight modification of sources. For example, we needed higher number precision in our number fields (0.0005 for example). And still limping along by patching an unsupported Watchers plugin.

I too used to do lots of DB changes for migrations and merges of various kinds. When ScriptRunner came out, I could do lots of that with scripts, which feels safer. The testing is still needed of course.

What makes me raise an eyebrow is the advice from Atlassian not to manipulate the database (especially with Jira running) and then the Knowledge Base articles that give SQL on how to fix a problem.

And I'm going to admit here that if some DB value in Jira isn't cached, then they can be updated while Jira is running. Just test it thorougly and be prepared to restart production if you got it wrong!