user/search API returning empty list `[]`

> Permissions required: Browse users and groups global permission. Anonymous calls or calls by users without the required permission return empty search results.

How can I check via API that the admin who connected has this permission? 

By the way, I tried your other suggestions and it still didn't work.

Hi @Nitin Patel ,

Please notice that in my reply I asked to run the request using curl and to paste the output (anonymized) in here:

Therefore, can you kindly run the following curl command against your instance and paste the results in your reply removing the sensitive data like shown below?

curl -u <EMAIL-ADDRESS>:<API-TOKEN> -D- -X GET "https://<NAME>.atlassian.net/rest/api/3/user/search?query=&maxResults=1000"
 

HTTP/2 200 
server: AtlassianProxy/1.15.8.1
[...]
date: Fri, 10 Apr 2020 12:40:25 GMT
atl-traceid: 4e5300a61b1fd8ab
x-arequestid: 75d19ba1-eef9-490a-bfbc-6271f33c2b4f
[...]
 

[{"self":"https://<NAME>.atlassian.net/rest/api/3/user?accountId=5bacXXXXXXXXXXXXXXXXXXbd","accountId":"5bacXXXXXXXXXXXXXXXXXXbd","accountType":"atlassian","emailAddress":"aXXXXXXXXX@atlassian.com","avatarUrls":{"48x48":"https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/5bacXXXXXXXXXXXXXXXXXXbd/dac690af-6307-4655-893c-691c5900a5fb/128?size=48&s=48","24x24":"https:.....
[...]

 

Also, once done, please let me know date, time and timezone you have run the request so I can go check the logs.

Cheers,
Dario

oh, sorry I didn't understand you earlier. 

Time: 15th April, 1:51 AM IST (Indian Standard Time)

curl

curl --location --request GET 'https://censia.atlassian.net/rest/api/3/user/search?query=&maxResults=1000' \
--header 'Authorization: Basic <creds redacted>' \
--header 'User-Agent: PostmanRuntime/7.22.0' \
--header 'Accept: */*' \
--header 'Cache-Control: no-cache' \
--header 'Postman-Token: f7c5a5ec-68fe-47c2-ae53-c0fc26c0a97f' \
--header 'Host: censia.atlassian.net' \
--header 'Accept-Encoding: gzip, deflate, br' \
--header 'Cookie: atlassian.xsrf.token=BVO6-FIVX-S7K8-OJT0_f2e6e558f2657b1983340d2de40e6c40bc611a33_lin' \
--header 'Connection: keep-alive'

result is empty list `[]`

by the way, I'm using basic authentication with email address and API Token and not username/password.

Hello @Nitin Patel ,

I can see you have access to 3 different Jira sites and I am not sure which one you are using for the tests. 

Looking at the logs of Rxxxxx.atlassian.net I can find some /rest/api/3/user/search requests at the given time (15th April, 1:51 AM IST -> 14th April 22:19 CEST/CET):

Time | Method | Uri | Status | Size| Time | User Agent 

However, the above requests do not look like the one you pasted above. Indeed:

1. The status code returned is 400 (Bad Request)
2. They are still showing '/rest/api/3/user/search?username=' while in your example you use '/rest/api/3/user/search?query=' 
3. The user agent in the logs is "python-requests/2.20.0" and not "PostmanRuntime/7.22.0"

It looks like above requests are coming from some python code and the request is somehow wrong. Also, in Jira logs last thing logged is a call to get user permissions. So it could also be related to the lack of "browse users permission".

Therefore, in order to proceed:

1. Confirm which instance you are using for the test
2. Since you are site-admin in the other 2 instances, you might want to check in there:
   1. if you have browser user Global permission (see the managing global permission page for details)
   2. if you are able to run the request in there using the provided curl example
   3. if you get results pasting: "https://<NAME>.atlassian.net/rest/api/3/user/search?query=&maxResults=1000" in your Internet browser address bar (after logging-into Jira).
3. Run the below curl request (not a similar one and not with postman, run exactly the below request) and paste the results in here

curl -u <EMAIL-ADDRESS>:<API-TOKEN> -D- -X GET "https://<NAME>.atlassian.net/rest/api/3/user/search?query=&maxResults=1000"

Cheers,
Dario

I'm not using any of those. It is https://censia.atlassian.net

and it is my customer's account. They've shared their API Token with us, I'm just making a call with the API token they gave me. The email is admin@censia.com

I don't have access to their jira account, just the API token. So, regarding your point about permissions, is there a way I can check permissions using the API? 

finally, I ran the exact command you gave, it's returning empty list []

Here's screenshot:

Hi @Nitin Patel ,

To check if the user you use to authenticate the REST API calls has browse user permission, you can call:

• https://censia.atlassian.net/rest/api/3/mypermissions?permissions=USER_PICKER
  

  {
    "permissions": {
      "USER_PICKER": {
        "id": "27",
        "key": "USER_PICKER",
        "name": "Browse users and groups",
        "type": "GLOBAL",
        "description": "View and select users or groups from the user picker, and share issues. Users with this permission can see the names of all users and groups on your site.",
        "havePermission": true
      }
    }
  }

To get the list of all the available permissions:

• https://censia.atlassian.net/rest/api/3/mypermissions

For more details see:

• Get my permissions
• Get all permissions

Let me know if this helps, otherwise I will proceed checking the logs for the given instance.

Cheers,
Dario

Also @Nitin Patel ,

Please also notice that what you get is exactly the result I get when I am not authenticated:

$ curl -D- "https://censia.atlassian.net/rest/api/3/user/search?query=&maxResults=1000"

HTTP/2 200 
server: AtlassianProxy/1.15.8.1
vary: Accept-Encoding
cache-control: no-cache, no-store, no-transform
content-type: application/json;charset=UTF-8
strict-transport-security: max-age=315360000; includeSubDomains; preload
date: Thu, 16 Apr 2020 10:46:22 GMT
atl-traceid: 7c2c9cc106c965f9
x-arequestid: d3e19c4c-2d0f-4a08-a6fb-a69316d5b0b2
x-xss-protection: 1; mode=block
timing-allow-origin: *
x-content-type-options: nosniff
set-cookie: atlassian.xsrf.token=BVO6-FIVX-S7K8-OJT0_208061576a953ce06a61c06df797858aa3b5594a_lout; Path=/; Secure
expect-ct: report-uri="https://web-security-reports.services.atlassian.com/expect-ct-report/global-proxy", enforce, max-age=86400

 

[]

So, by calling the  /rest/api/3/mypermissions endpoint you should be able to determine whether the authentication credentials are not working/correct or if your user does not have browse users permission.

Cheers,
Dario

Hey, 

I think I found the root cause is that the admin doesn't have USER_PICKER ie "Browse users and groups". 

Thanks for your help!

You are very welcome @Nitin Patel , I am happy to know I was able to help! :) 

I am accepting the answer so that this thread will be marked as resolved.

Have a nice day,
Dario

I am seeing this exact same issue, when checking the USER_PICKER permission, it is granted, however the user search API still returns no results.