Distinguish between administrator and user consent

Every app user needs the permission to “use” and “install” the app. How do we separate those?

- storage:app
- write:jira-work
- read:jira-work

- manage:jira-configuration
- manage:jira-project

We want that only the administrator has to give his consent to the “installation” permissions and the user only refers to the “use” permissions.

Our forge app requires permission to add an IssueType on behalf of the user. This is only necessary during the installation process. After that, and most importantly for any other user, this permission is not required. However, each user must give their consent before using the app. That would be fine if it only affected the permissions required to actually “use” the application, not “install” it.

I find it odd that all users must have the same permission, even if the installation is out of context for most users.

I’m pretty sure I’m missing something here. Can someone enlighten me?

***** UPDATE
I’m not entirely sure, but my latest test tells me: it looks like the “normal” user is giving consent to permissions he doesn’t have. This is quite confusing. A user who is not able to manage Jira configurations sees from his perspective that he should give just such permissions:

  • manage:jira-configuration
  • manage:jira-project

But that doesn’t mean anything. As long as the app doesn’t call anything that the user doesn’t have permissions for, there’s no problem, I think. Can anyone confirm this?


Hey @Neylo,

It’s not possible to separate permissions like this. With regards to your update, through the .asUser methods users of your app are allowing you to call APIs on their behalf. A user granting you manage:jira-project only allows your app to manage Jira projects they themselves have permissions to manage (which may be no projects).

Keep in mind this only applies to .asUser which is why it is safer to use than .asApp (which can result in privilege escalation).

Thanks for your reply.