Bitbucket Cloud: Team account permissions related to Connect apps

We have a permission issue in our Bitbucket Cloud app, using atlassian-connect-express.

So for freshly created Bitbucket Cloud workspaces with normal admin account, everything works as expected. Which means we can make authenticated calls with:

var httpClient = addon.httpClient(req);
By default, these requests are authenticated as the add-on.

from Bitbucket

And the admin user account which installed the app in the workspace is used to make the calls.
So the “add-on” is the Admin account, which installed the app in the workspace.

But for “old” workspaces, the calls are not done in the context of the admin account which installed the app. But in the context of the Team account of the workspace.

But the problem is, that this special user may not have the required permissions the apps need to make the API calls, and there is no way to grant permissions for it, as there is no associated email address. So it can not be added to any workspace or repository anymore.

How can we fix that?
@WendyG or @aagrawal2 can you guide us?
Any help is welcome.

Best wishes
Markus - Mibex Software

1 Like

Site note:
In one such old workspace, the Team account had read permission to a repository.
So there it worked. But after this permission was removed, the Team account disappeared in the workspace user-directory and we found no way to re-add it afterwards.

Hi @MarkusSutterMibexSof,
you are correct in saying that the addon is represented by the account/workspace that it is installed into. And as a result, if you -for example- post a comment on a pullrequest as the addon, the author of the comment will be the account in which the addon was installed into.

However, the permissions associated with requests made by your addon are separate from the permissions that are associated with the account that represent the addon. Since the addon makes requests using JWT, Bitbucket will apply the appropriate addon permissions to those requests.

I hope this answers your question?

1 Like

Hi @JeroenDeRaedt

Thanks for your response.

To clarify that I understand correctly:
With appropriate addon permissions to make the requests with JWT, you referencing the the scopes provided in the atlassian.connect.json of the add-on, right?

The thing is, the exact same app can access the workspace/members API in one workspace, but in an “old” workspace it can not access it.
So we thought it’s related to this team account. But you are saying these requests are unreleated to the account used to make e.g. a comment by the add-on.
What can then be the difference, that it works in one workspace but not the other?

Hi @MarkusSutterMibexSof,
assuming that you installed the app in both your admin workspace and in your other team workspace it should just work (there should be no difference between regular workspaces, and team workspaces in this regard).
Are you getting an actual error when doing this? If so, could you share the exact request you are making and the error you are getting?

Thanks for your help.
We found that we were trying to catch a red herring, and the problem was not related to the workspace differences.
Thanks again for your clarifications, as it was not clear for us beforehand.