I have an Atlassian App that fetches issues and comments for each project. My goal is to retrieve the emails of users who have access to each project.
Implementation Steps
After reviewing the documentation and various forum answers, I’ve outlined the following steps:
Fetch All Users
Using the endpoint GET /rest/api/2/users/search, create a dictionary mapping accountId to emailAddress.
Fetch All Groups
Utilize the endpoint GET /rest/api/2/groups/picker to retrieve all groups.
For each group, fetch its members via GET /rest/api/2/group/member.
Create a dictionary mapping groupId to a list of users.
Fetch All Roles
Access roles using GET /rest/api/2/role.
For roles with actors, perform the following logic:
If the actor type is atlassian-user-role-actor, search for the user in the dictionary from step 1.
If the actor type is atlassian-group-role-actor, search for the group in the dictionary from step 2.
Result: a dictionary with role names as keys and lists of emails as values.
Fetch All Projects
Retrieve projects using GET /rest/api/2/project/search.
Fetch Roles Of Each Project
Use GET /rest/api/2/project/{project_key}/role to fetch roles for each project.
Fetch Each Role Of a Project
For each role obtained in step 5, fetch its details.
Apply the logic from step 3 to create a mapping between each project name and a list of emails.
Issues
Missing Email Addresses
Many users fetched do not include emailAddress. It appears that permission to access emails via API is required. Confirmation is needed regarding access to emails, especially if restricted to admin and user configuration.
Inconsistency in API Results
There is inconsistency between the API results obtained in step 6 and the actual access observed within the Jira app. Some users have access to all projects within the app but do not appear in the API results. Is there another API endpoint to check for a different type of permission?
Your assistance in resolving these issues would be greatly appreciated.
If that is your goal, then you need to start with the following assumptions:
You canot get the email addresses of users via Jira’s REST APIs unless those users have consented to make their email address public via their profile settings. This has been expected behaviour since GDPR compliance in 2018.
If want to use Jira’s REST API get the email addresses of users without their consent, you will need to apply to Atlassian for your app to be given authority to use the Get user email endpoint, as stated in that endpoint’s documentation.
If want to get a user’s email address without their consent and without getting special approval by Atlassian for your app, you must use the Atlassian Cloud Admin APIs.
This entire topic has been covered many times before. Refer to prior threads, such as this one, or just Google ‘jira cloud rest api user email’ and read the articles.
I’ll apply to Atlassian to be able to retrieve the email addresses.
Do you know if the logic described above, used to fetch users for each project, utilized the correct endpoint? I have a user with access to all projects, but they don’t appear in the actors array as expected in the response of the mentioned role here:
Firstly, you don’t say how that user currently has access to all those projects, what exactly you mean by ‘access’ or the method you used determined either of these. Next, you say that the user is not in list of roles for one particular project that would, in your opinion, provide that ‘access’, but you make no mention of whether or not that user is a member of a group which has permission to act in that project role. Lastly, you haven’t described any methods you have used to validate what the user’s actual permissions are versus what the API is telling you.
IMHO, it sounds like you have some pre-conceived ideas as to how a user’s specific permissions are determined per project but have under-estimated the full complexity of how permissions can be applied. As a result, you are mistakenly assuming the API results are wrong, but in fact they are right, and you are making the classic error of trying to make the results fit the model.
These are just the start of the many hurdles you are going encounter and will need to investigate and resolve yourself if you really decide to build this gigantic ‘top down’ dictionary / array of all users, in all their different groups, in all their different individual or group roles, in all the different projects.
Hi @sunnyape thanks for your detailed answer.
Maybe I wasn’t clear in my previous statements, so I’ll provide some more details for clarity.
I don’t assume that the API results are incorrect. Rather, I suspect that the approach I took to extract the users who can access each Jira project might not be correct.
By “access,” I mean being able to see the issues and comments within each Jira project.
The approach that I understood is to fetch all the roles that exist for the Jira product as I mentioned here:
For each Project, I Fetched the Roles as I mentioned here:
I’ve noticed something peculiar with project roles in Jira and I could use some clarification.
It seems that the result of each project role includes users who are explicitly added to Jira’s project access configuration, alongside the general role set by the permission schema.
However, I’ve encountered Jira projects where no users are included in the final result. Yet, strangely enough, when I log in with different users, I can still access these projects, even though they supposedly don’t include any users in the results.
I understand that Jira’s permission system can be quite complex, and I’d really appreciate some guidance on best practices for understanding project read permissions for issues and comments in each Jira project.
I’d love to hear how you would approach this task. Any tips or insights would be greatly appreciated!
Yep. Some access permissions within the project can be applied directly per user, outside of groups and roles permissions. Also, a user can have a global permissions to access all projects or groups of projects. Wait until you then add Issue level permissions to the mix… any user can have access a single Issue only.
Are you starting to see just how much complexity you are faced with?
I’d love to hear how you would approach this task. Any tips or insights would be greatly appreciated
Well, it really comes down to… what are you expecting to achieve by essentially reinventing the proverbial wheel and replicating Jira’s entire user permissions schema in another database? It’s a huge undertaking and the resulting relational dataset will need constant updating. What are you intending to do with this dataset that you can’t achieve using the existing GUI based permission inspection and reporting tools?
I’ve only had the use case of being asked to provide information about the permissions of a particular user or small group of users (IE, for user account true-up activities, organisational audit or security audit related matters), so I only have needed to query from the user ‘up’ via the Get bulk permissions endpoint, rather than the project level ‘down’ as you are trying, so can’t advise beyond that.
Maybe someone else in this Dev Community has previously tried what you’re attempting and can give a better overview of how to approach it?