I’m trying to understand when the ACT_AS_USER scope is actually needed. Take creating issues for example:
According to the documentation, only the WRITE scope is required for Connect apps. Without user impersonation, on whose behalf is the issue created? Would it be the Connect app itself? And if that is correct, I would assume that in order to create/update/delete any entity on a specific user’s behalf, we would have to leverage the ACT_AS_USER scope- is that also correct?
AFAIK, answer to both your questions is YES.
Your app can do various operations, based on the permissions it has. So if you have the WRITE permission you will be able to create an issue.
Now, if some user that has no permissions to create issues (in certain projects for example) uses your app, then that user will create issues there and in Issue’s it will state that it was your app that created it. Sounds like “kind of workaround” for Jira permissions system.
If you use ACT_AS_USER, Jira api will check all required permissions and will block operations (like issue creation) if specific user has no rights to perform them.
From the other hands, there can be operations (for example this one) that your app requires ACT_AS_USER to perform them.
More info here: User impersonation for Connect apps (atlassian.com)