Jira Cloud REST API provides the endpoint for fetching group members:
However, it requires the “Administer Jira global permission”. We would like to fetch group members, by making a request as a plugin, but we want to avoid setting the admin scope permissions for our plugin because of security concerns.
Is there any way to get group members, specifically without the need for admin permissions?
Hi @MichaTkacz ,
EDIT (8-Sep-2022): I’m not sure this solution works as I believe the
ADMIN scope is still required.
I assume your use of the term plugin refers to a Connect app you have developed.
Instead of adding the
ADMIN scope to your app, you could add the
ACT_AS_USER scope and make a user impersonated API call from your app’s backend. Obviously you’d need to know that the user you’re impersonating has admin permissions, so you may be able to employ the
user_is_admin condition so that the relevant functionality is only available to admins.