Fetching group members without admin permissions

MichaTkacz · September 2, 2022, 12:03pm

Hello,

Jira Cloud REST API provides the endpoint for fetching group members:
https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-groups/#api-rest-api-3-group-member-get
However, it requires the “Administer Jira global permission”. We would like to fetch group members, by making a request as a plugin, but we want to avoid setting the admin scope permissions for our plugin because of security concerns.

Is there any way to get group members, specifically without the need for admin permissions?

Best regards,
Michał
SolDevelo Team

dmorrow · September 6, 2022, 5:50am

Hi @MichaTkacz ,

EDIT (8-Sep-2022): I’m not sure this solution works as I believe the ADMIN scope is still required.

I assume your use of the term plugin refers to a Connect app you have developed.

Instead of adding the ADMIN scope to your app, you could add the ACT_AS_USER scope and make a user impersonated API call from your app’s backend. Obviously you’d need to know that the user you’re impersonating has admin permissions, so you may be able to employ the user_is_admin condition so that the relevant functionality is only available to admins.

Regards,
Dugald