Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,368,644
Community Members
 
Community Events
168
Community Groups

Jira Cloud API Token Permissions (How to limit permissions)

Edited

Hi Everyone,
We currently use JIRA Cloud  as our ticket management/issue tracking system. We have multiple projects boards setup in our Jira Instance.

We are looking integrate JIRA into our project management tool to pull in tasks from one of our projects in JIRA. 

What is the best way of limiting the API token's access to just one project? 

From my understanding, Jira API Token's are limited to the permissions set on the user profile. For instance, if a user profile is given access to particular project, the API token generated from that account will only be able to access the projects/resources associated to that account. Is this the correct assumption? 

 

2 answers

Is there a feature request for this that I can follow?

0 votes
Warren Rising Star Oct 18, 2019

Hi @Raunak  

I feel as if you've answered your own question :-)

Yes, the token only allows access to whatever that user has access to in Jira, so if you want a token that can only access 1 project, ensure that the user can only access that 1 project.

@Ivanov, Kyrylo [Global IT] as far I know/observed, the api is provided with the same permissions as the user generating it. It is not possible to have scenario you described.

This implementation is a joke. You need to create and mange dummy user accounts for every API token. And I assume each of these accounts counts as a "seat" in your licence fees?

Even worse, there's no facility to impersonate users so you also have to mess-about actually logging into Jira as the dummy user in order to create/revoke/etc. the associated API token.

Am I the only one thinking this is madness. Sensible platforms, like GitLab to name one, allow you to tailor the permissions on the API token at the point of its creation...

Like # people like this
Capi _resolution_ Marketplace Partner Feb 10, 2021

That's how it works in Bitbucket on premise @Steve Revill . It will propagate to the remaining applications, but it might take some time.

Like Steve Revill likes this

Thanks for the response. Am I missing something? For example, if I create three API tokens, I can somehow constrain them so that each can, for example, only access a specific project respectively? Or is the official line that I need a unique dummy user for each API token?

Edit: apologies - having re-read the previous post, I realise I misinterpreted the answer. It is: the better (IMO) way of doing things will be coming to Jira at some point.

Like Chaim Paperman likes this

@Steve Revill i believe you can't. The API Token will align to the user's privileges. And no, you're not the only one deprecating this risky feature. In fact, i just bumped into this.

Like Chaim Paperman likes this

This is definitely a HUGE security concern. 
There is no reason you shouldn't be able to limit what API tokens have permission to. 

If an application becomes compromised and leaks the API Tokens, having full permissions to the Atlassian portal is a big risk. 

Like # people like this

Suggest an answer

Log in or Sign up to answer