Hi @AndrewViteri ,
Thanks for the additional questions.
Here are some responses based on my understanding of how the API works and the obligations of apps, but note that I have raised an internal issue, ONECLOUD-2335: As an app developer, I need a detailed understanding of business rules relevant to the personal data reporting API in order to ensure my app is compliant, to update the User privacy guide for app developers updated with more formal guidance.
Is the above a requirement? In other words, does the implementation have to use the same user to report accounts every time?
No, it’s not a requirement that a single account is chosen for reporting on all other accounts.
Does it need to always use a single user and report in bulk? For example: 10 users grant authorization, for each user, a request is made on behalf of said user only reporting the account ID of said user. Is that an acceptable use case of the API?
No, an app can choose any pattern for reporting PD usage. For instance, an app can cycle through all it’s account storage records and report separately. The app can choose to make the call as the user being reported or it can choose to make the call on behalf of another user such as one that the app knows has a valid OAuth grant/consent in place.
And here’s another couple of questions that stem from the previous question:
How do I handle a 401 Unauthorized response from the user privacy API?
If a 401 Unauthorized response occurred after making an OAuth 2.0 based API call, then it could be because the user being impersonated has revoked their grant. If this occurs, the app has two choices;- (a) delete the personal data it is recording for the account that the OAuth call was made on behalf of, or (B) try to make the call on behalf of a different account ID and ensure you include the account ID that the first call was made on behalf of, but note that this request could also fail so the app would most likely need to limit the amount of retries.
How do I handle repeated error responses from the user privacy API?
Your app should track when accounts were last successfully reported. If it receives errors that are believed to be Atlassian’s fault, report the issue ASAP. If the app has been unable to successfully report account usage for more than the required reporting period, the app should take remedial action which would probably involve deleting the relevant personal data.
Hopefully this provides clarification and as mentioned above, the User privacy guide for app developers will updated with more formal answers when ONECLOUD-2335 is addressed.