How do I tell if a given user is a Jira administator from app backend?

In the context of an app backend I’d like to confirm that a given Jira user is an administrator (has SYSTEM_ADMIN permission) with a minimum of required app scopes .

  • GET /rest/api/2/mypermissions
    This would allow to list all permissions the current user have but requires “ACT_AS_USER” scope to query for an arbitrary user (I’m not interested of permissions of the app user).
    Problem: Requires ACT_AS_USER that I don’t need for any other purpose
  • GET /rest/api/2/user
    I’m able to get a list of groups that the user belongs to but translating it to a list of permissions is not possible AFAIK, eg. GET /rest/api/2/group requires ADMIN scope, is deprecated and doesn’t return permissions.
    Problem: Determines Jira groups but not permissions.

Any ideas for a solution?
Thanks for any hints

You can call the ‘My Permissions’ REST API end-point.

GET /rest/api/2/mypermissions

The authentication context that you supply for that call should be that of the user whose permissions you want returned.

For more details, see the Jira Cloud REST API specification.

1 Like

@david.pinn, do you suggest that it is possible to cal /mypermissions from the server-side of the connect app, which does not have ACT_AS_USER scope, and get permissions for the selected user?

Here is a proper request in Jira: https://ecosystem.atlassian.net/browse/ACJIRA-1857
and similar thread in community: Permission check when handling webhook

No, but that call will tell you what permissions the current user is entitled to exercise.

1 Like

I’m not sure if I agree with this request:

Admin user (and Connect apps with “ADMIN” scope) should be able to check users’ permission.

because I would like to not increase scope of my app by “ADMIN”. I need equivalent of httpClient.asUserByAccountId(req.context.userAccountId).get("/rest/api/3/mypermissions?permissions=ADMINISTER", ... for an app with just “READ” in scope. This is used in a regular REST endpoint of my app.

@kkercz can you shed some light on the solution which is currently in progress? :slight_smile:

I personally don’t care if it is READ or ADMIN.

My whole effort here (including creating the ticket with Atlassian) is to make it possible as currently it requires ACT_AS_USER which we don’t want to introduce (because we don’t want to act as user).

Jira UI allows administrators to check permission of other users, hence the idea of enabling the API check to ADMIN scope.

I hope you agree this time @Grzegorz

Cheers,
Jack

That issue is only about making the API in question work with custom app permissions. We won’t be changing the scopes required to call it or anything else of that sort.