In order to improve security guarantees on the Get User REST API endpoint in Jira Cloud, this endpoint will now require the calling user to have the Browse Users and Groups permission to be able to access results. We are updating the API to enforce this requirement.
What this means for Apps?
If your app is accessing the endpoint using User Impersonation then the user that is being impersonated will require the browse users and groups permission to access this endpoint going forward.
curl --request GET \ --url '/rest/api/2/user?accountId=5b10ac8d82e05b22cc7d4ef5' \ --user 'email@example.com:' \ --header 'Accept: application/json'
Forbidden response status code:
This means that if your app used this functionality, and your users have restricted browse users and groups permissions, they may notice a change in the way your app behaves. You should ask them to request the administrator gives their user browse users and groups access in Jira global permissions .
If your connect app is accessing the endpoint using the Application User the app will continue to require READ Scope as is currently the case, and you will not see any difference to how your app functions.
This change is now available to all who have signed up for Jira Cloud Vendor First Release Group.
If you’d like to see these changes on your instance first, before they go out to customer instances, please ensure you are enrolled in the Jira Cloud Vendor First Release Group - you can sign up here.