Unexpected 403/Permission Denied responses from Assets API

Jira Development Jira Cloud
, ,
1

Using a connect app with JWT authentication for api.atlassian.com, I have users who - according to role assignments - should be able to retrieve Assets information from the API. Instead I am seeing some unexpected responses from the API with a 403 status and I cannot determine why this is happening.

All examples use requests to the following URLs:
https://api.atlassian.com/jsm/assets/workspace/{workspaceId}/v1/objectschema/list
https://api.atlassian.com/jsm/assets/workspace/{workspaceId}/v1/object/{objectId}

object/{objectId} call is requesting an object in a particular schema where the role assignments are modified as explained in examples below.

User 1 is behaving as expected based on role assignments. User 2 is not. Both users are the same type (standard user, no admin permissions)

Examples:

  1. User 1 without any role assignments within the schema settings:
    objectschema/list: Returns only the schemas which the user can access
    object/{objectId}: Returns 403 response code with error message “Sorry, you do not have permission to perform this action.”

  2. User 1 assigned to “Object schema users” in the “users” selection within the schema settings:
    objectschema/list: Returns only the schemas which the user can access, which now includes the schema they were given access to
    object/{objectId}: Returns 200 response code with data

  3. User 2 without any role assignments within the schema settings:
    objectschema/list: Returns 403 response code with error message “Forbidden”
    object/{objectId}: Returns 403 response code with error message “Forbidden”

  4. User 2 assigned to “Object schema users” in the “users” selection within the schema settings
    objectschema/list: Returns 403 response code with error message “Forbidden”
    object/{objectId}: Returns 403 response code with error message “Forbidden”

Given the different error messages returned for the different users, it would seem that there is some other permission or setting associated with these requests that is preventing User 2 from retrieving details through the API, but I cannot determine what that might be.

Both users can see Assets from this schema when viewing Assets custom fields in work items, regardless of their schema role assignments. This problem appears to only impact API requests.

2

Tried refreshing the JWT?

I had an issue last week with the Marketplace API. It was returning a 502 gateway error (not a 403). API key was non-expired. All I did was use a new API key and it worked again.

This platform man :joy:

3

I wish it were that simple. The app generates a new JWT each time it first runs for a user’s request, and automatically refreshes the JWT as needed based on responses from the API. But In the interest of being thorough, I did just retry the requests from example 4 above, forcing the use of invalid JWT (once with an invalid ‘aud’, once with an invalid ‘sub’, and once with a token that had expired). These all returned a 500 response code with the appropriate error message.

1 Like
4

After involving Atlassian support, we have an answer to the problem. The user needs a JSM license to call the Assets API. This makes some sense but it’s also a little frustrating because the user can see the same information returned by the API, while browsing Jira without a JSM license. Oh well.