Customer permissions to request REST API

Mikrukov Petr February 14, 2020

Hi,

I want to permit 3d party software to request Service Desk API. 

I added their email to Customers list. They got an Atlassian ID, created a token and so on, and then they tried to send a request to Service Desk REST API but got bad request response stating there was an authentication issue. 

To provide them API access, I had to add them to users list and to permit them access to Jira Service Desk product. As a result, they got access to back end web interface, although there was no projects available to them, but they have an option to created one.

Question is, how do I provide a permission to use REST API to customer without permitting him to access Service Desk interface itself? Except customer portal of course, it must be accessed as intended.

1 answer

0 votes
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 24, 2020

Hi Dmitry,

I understand that you want to grant customers access to the Jira Service Desk REST API.  It sounds like you might have added these users to the jira-service-desk-users group or equivalent user group in Jira Cloud.  Doing this makes those users Jira Service Desk Agents, and grants them access to the main Jira site. 

But this is not necessary to use the Jira Service Desk Cloud REST APIs.  In fact no group membership is needed at all for users that only exist in the customer role (see also Jira Service Desk: Agents, Customers, and Roles).  That said the customer account does need to be able to login to the Customer portal provided to them.  If they can do that, then they should also be able to make REST API calls to the endpoints in that reference link above, provided there account has the permissions need to perform those actions.

If your customers are still having problems here, I would be interested to learn what specific endpoints they are trying to call, and any specific details you can provide about the syntax of their API requests, perhaps we can better understand the specific error message they are seeing this way as well. 

Please let me know.

Andy

Mikrukov Petr March 2, 2020

Hi Andy,

Thanks for reply, I'll try to do as described and let you know if this works.

Mikrukov Petr March 3, 2020

Hi,

Cannot post anything here, Reply button won't work

Mikrukov Petr March 3, 2020

Looks like large text won't submit. Trying to break my reply in parts.

Pre-conditions:

  1. User is in Customers list and in Users list
  2. User has an Atlassian ID and got token to access REST API
  3. I have all requests imported from https://developer.atlassian.com/cloud/jira/service-desk/restto Postman
  4. I added Authorization header to Postman collection
Like Andy Heinzer likes this
Mikrukov Petr March 3, 2020

I tried 2 scenarios.

First, user has been granted site access:

1. GET rest/servicedeskapi/request? completes successfully and returns all user's tickets

2. POST base_url/rest/servicedeskapi/request completes successfully and creates the ticket.

Second, site access has been revoked but user is still in Users list

1. GET base_url/rest/servicedeskapi/request? returns empty response (size: 0)

2. POST base_url/rest/servicedeskapi/request returns error "sd.agent.servicedesk.error.project.nopermission"

Like Andy Heinzer likes this
Mikrukov Petr March 13, 2020

Any response? I still cannot do what I want. Examples above are just to clarify what is going on

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 16, 2020

Hi Dmitry,

Sorry, I did not understand from your previous response that there was still a problem here.  Let me try to reassess what is happening here.

The user in the second site has been revoked.  What exactly do you mean?  The user has been deactivated on that Jira site?  In a case like that, I do not expect that the user can then interact with that site.  If the user cannot logon to that Atlassian Cloud customer portal site, then I would not expect that they could reach the REST API endpoints in question either.

I think what happened here is that you might have added these users to the group called jira-servicedesk-users (or another group name that grants product access to JSD).  Doing this grants those users Agent level access.  When they have that, they can login to the main Jira site and see all JSD requests in most cases.   I gather you don't really want that, as each user counts as a licensed user in Service Desk.  Instead you just want to grant that user access to the Service Desk customer portal.  

First check your Cloud product access levels.  Details on how to do this are in Update product access settings.  Only licensed users should be in the groups listed here.  Specifically see which groups are setup to give access to Jira Service Desk, then compare the members of those groups in the Cloud admin panel.  I suspect you want to first remove all the users here that are supposed to only be customers.  And leave anyone that needs to have this Agent role access level.

After that is done, try to follow the steps in Adding a customer to a Service Desk project.  This will let you add those users that you want just as customers in Jira Service Desk.  This should give them just the access to the customer portal, not the main Jira site.

Once this is done, those users should then at least have access to the customer portal and not the main Jira interface.  Let me know if this helps or if you run into any problems here.

Andy

Mikrukov Petr March 17, 2020

Hi Andy,

Sorry for my poor English, I possibly just could not clarify the situation.

In my previous comments I have described 2 cases:

1. Customer was added to Jira users group and granted site access. As a result, customer is able to use REST API.

2. Customer is still in Jira users group but site access permission has been switched off. As a result, customer could not use REST API (error "sd.agent.servicedesk.error.project.nopermission"). Also the customer is not able to use API when he is in Customers group only.

Everything I need is to permit customer, being in Customers group only, to have permission to use REST API.

You said, if customer has access to portal, he also has a permission to use REST API, but this is not so. This is not working.

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 18, 2020

Hi Dmitry,

No need for you to apologize here, I think I need to apologize instead.  When I reviewed the steps I suggested, I believed it was possible for customers to create their requests via the REST API.  However upon further investigation, I tried to follow my own steps.  And in turn I found that this is not currently possible. 

I walked through the existing documentation we have on this, and I too came up with an error of

"errorMessage":"You don't have permission to access this Service Desk.","i18nErrorMessage":{"i18nKey":"sd.agent.servicedesk.error.project.nopermission","parameters":[]

when I made that request as a user that was in the project, but only in the customer role.  I was able to perform that call as an Agent, but in my view the call to create a request is not something I expect to be limited to only users in the Agent role here (unless of course you were using the raiseOnBehalfOf or the requestParicipants parameters, those are restricted that customers can't use them).  Which is what you were reporting earlier I realize now.

Sorry to confirm your reported behavior here.  Reading through the existing documentation I don't believe this behavior is the expected one. So I created a bug on this over in JSDCLOUD-8961.  It may be that I have misunderstood the reference materials in regards to their scope of permissions, but if that's the case then I believe that we (Atlassian) need to do a better job at making this explicit in the documentation we have on this topic.

Sorry I do not have a better solution at this time.  From looking at this for a while it seems like only the user account in the Agent role has this ability in the REST API right now.

Andy

Mikrukov Petr March 18, 2020

Hi Andy,

Thanks for the efforts and reply. I will be watching the progress.

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 20, 2020

Hi @Mikrukov Petr 

I tried to recreate this problem again from the beginning. I created a new Service Desk classic project, I got the same error when using my Atlassian.com account here to make the REST call.

Then tried it again but with a different account, this was a yahoo.com email address account I had.  I had to generate an API token, created the encoded string, added that user as a customer to the project, then tried to use the REST API POST command with basic auth. Creating a request via REST worked successfully for that user.

The settings between the two accounts appear to be identical in terms of product access (both have none here, just customers), in project access (again both just customers), and no changes have been made to the default permission scheme of the JSD project.  This is really confusing to me.  I can't yet see what is different between the two accounts.   Both can login to the customer portal just fine and make requests that way.  But there appears to be still some kind of difference getting applied to my Atlassian account on this Cloud site in terms of REST API authentication needed for Service Desk specific functions. 

Just wanted to let you know what I have been testing here.  I'll push this info back to the bug ticket I created and I hope to get some more insights on this soon.

Andy

Like Mikrukov Petr likes this
Mikrukov Petr March 20, 2020

Hi Andy,

Thanks for letting me know! That's very good you could reproduce my situation. I started to think the reason was me and my skills.

Anushaath August 20, 2020

Hello @Andy Heinzer ,

 

   I had a similar issue and followed the similar steps. However I was using it on '/rest/servicedeskapi/servicedesk' endpoint.

 

And I got this response:

`{"message":"Client must be authenticated to access this resource.","status-code":401}`

 

Steps I followed:
 1. Add a Customer on the Service Desk.

 2. Customer logs in through the invite email.

 3. Customer able to see the customer portal.

 4. I use customer email ID and an api token to form the request.

 

What could be the problem?

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 20, 2020

@Anushaath I suspect that your request is not properly formatting the auth here.  That would explain your error.  Please take a close look at Basic auth for REST APIs, you should be able to take the email address and API token of that user in order to form it into a string of

email:token

and then base64 encode that string and use that encoded string to pass the authorization in header as described in the supply basic auth headers section of that document.

Olivier September 23, 2020

I'm having the same issue with the 401 error  . Checked with 2 customer email adresses (with email:api-token encoded as base 64) , trying to access : 

https://mySITE.atlassian.net/rest/servicedeskapi/request

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events