Boards not visible for my addon system user

Hi, I have made an addon with the following scopes:

"scopes": [
    "ADMIN",
    "ACT_AS_USER"
  ]

I have a problem with a user who has boards that are restricted to only be visible for users from a certain Group and therefore my addon cant see the boards I am guessing because the addon system user is not part of the group…

Is this intended behavior? Is there anything I can do to fix it?

Have you tried adding the ADD scope to see if the board shows up?

https://developer.atlassian.com/cloud/jira/platform/scopes/

Yes.

https://developer.atlassian.com/cloud/jira/platform/security-overview/

Combining static and run-time authorization
The set of actions that an app is capable of performing is the intersection of the static scopes and the permissions of the user assigned to the request. This means that requests can be rejected because the assigned user lacks the required permissions. Therefore, your app should always defensively detect HTTP 403 forbidden responses from the product.

You can either make the request as the user (either through the UI or use the ACT_AS_USER mechanism) and if the current user should have access to it - you’d get the data. You might be able to up your scope to ADMIN and potentially get it. If you go that route (and it works) - consider the impact on your marketplace listing.

Do you mean the WRITE scope?
I was under the impression that that was “included” in the ADMIN scope.
I just tried to add it, but unfortunately it didn’t help :confused:

The add-on just runs a continuous synchronizations between Jira and another PM tool, so I dont have a specific user to “act as”.

I am trying to get the boards via an API call authenticated with a JWT token made from the client key and secret from the add-on installation handshake.

The add-on already has the ADMIN scope.

One way around this is to get the end users to “opt in” that you can sync the boards they’re seeing. Then you can use the “act as” feature to become those users and get their boards.

Otherwise - you should just call out to the customers that you’re just syncing the boards that your application user can see (they can add the user to groups).

My first thought was also to just have them add the system user to the group, but unfortunately that doesn’t seem to be possible.

When ever I try to add the system user to a group I get the following error: System users product access cannot be removed