Using Atlassian System User Accounts for API-Triggered Backup Downloads: Is It Safe and Necessary?

Alexandrina Esti July 2, 2024

Dear Atlassian Community,

At my organization, there is the urge and need to use the Atlassian API to trigger an automated backup downloads for e.g. Jira, Confluence, etc.

The senior admin here insists that an Atlassian system user account is right for this purpose.

However, I am having some doubts.

First of all, as you might have noticed, the System User Accounts are poorly documented to say the least. Probably Atlassian have some reasons for this. I have experience with system accounts of other companies providing software solutions and I know this tends to be so.

Aren't system user accounts a bit of an overkill for something like creating a token for sending GET requests to the Atlassian API?


Are they safe to use via the API in general?

Aren't they like service accounts for only Atlassian staff to use? That's at least my understanding atm.

Kind regards,
Alex

 

2 answers

1 vote
Vish Reddy {Revyz}
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 3, 2024

Hi @Alexandrina Esti 

In the cloud as far as I am aware there is no concept of an Atlassian System User compared to Data Center / Server

Having said that if you are writing a script to trigger a backup, the best practice would be - to create a user account specifically for integrations or background tasks call this the "service account".

This account would have limited permissions assigned based on its intended purpose. This approach requires managing an additional user account, so consider the number of user licenses you have available.

The downside of this approach is that there is an API token being exchanged and you would be storing the token in a script somewhere in clear text. Depending on the security risk appetite of your organization that may or may not be acceptable for your organization.

Another alternative would be for you to create a private app which does what you are looking for except that the authentication mechanism would be a JWT.

You can find more information on the JWT here.

 

 

Alexandrina Esti July 5, 2024

Good morning @Vish Reddy {Revyz} ,

That answer is far more satisfying than the other from Daria :) ;) ;) 

Indeed, Atlassian also confirmed there isn't basically such thing currently on Cloud, that's some redundant and old term, used wrongly in the wrong context by the wrong people.

Well, the other thing that also worries me is, that API access has been given to that very Admin account which they call wrongly "Jira System User" account which is in fact simply a Jira Admin account and nothing more. It is in the site admins and jira admins groups. 

What kind of potential security issues come to mind, when you see this? Is this "Best Practice"?

I will be awaiting your response. See you soon again!

Kind regards,
Alex

Vish Reddy {Revyz}
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 6, 2024

Hi @Alexandrina Esti 

Here is a good article on API security best practices - https://stackoverflow.blog/2021/10/06/best-practices-for-authentication-and-authorization-for-rest-apis/

 

While the article is dated, it still should serve as a good reference.

 

Hope this helps.

0 votes
Daria Kulikova_GitProtect_io
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 2, 2024

Hello @Alexandrina Esti  and welcome to the Atlassian Community!

While API-triggered backups provide a flexible and automated approach to data protection, they still need a lot of attention from you and your team, as any mistake in setting up can lead to incomplete backup. That's why it's important to carefully plan and implement security measures, ensure proper configuration and maintenance, and monitor the backup processes, which may still be time consuming. 

As an option for backing up your data you can try backup tools . For example, with GitProtect backup and Disaster Recovery software for Jira, Bitbucket, GitLab, GitHub (and Confluence soon) you can get comprehensive protection of the data in one place - automated scheduled backups, full data coverage, multi-storage capacities to meet the 3-2-1 backup rule, compatibility with multiple storages (keep data locally or in the Cloud, or both), ransomware protection, AES encryption with you own encryption key, easy management and monitoring (Slack/email notifications, SLA, Compliance and backup performance reports), Disaster recovery capabilities (point-in-time restore, granular recovery, restore to your local instance, restore to the same or a new account, etc.)

You can learn more about Jira backups on Atlassian Marketplace: https://marketplace.atlassian.com/apps/1228719/gitprotect-io-backups-for-jira-cloud?hosting=cloud&tab=overview 

Alexandrina Esti July 3, 2024

Sadly, this answer does sound more like marketing of a paid tool, than any actual solution.

Furthermore, it does not answer any of the technical questions raised in the post.

Alexandrina Esti July 3, 2024

@Daria Kulikova_GitProtect_io, I invite you kindly, to either edit your "answer" or remove it.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
FREE
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events