Write permissions not working with Forge and JSM Assets Import

Forge
1

Hi, I’m currently developing a Forge app that uses the jiraServiceManagement:assetsImportType and I’m experiencing some permission problems.

Steps to reproduce

Here’s what I did step-by-step:

  1. Run forge create → select UI Kit 2 → select Jira Service Management → select jira-service-management-assets-import-type
  2. Add permission scopes write:cmdb-type:jira, read:cmdb-schema:jira and write:cmdb-schema:jira to manifest.yml → this is for testing purposes only but in the end, our app needs at least permissions to add Object Types to a schema.
  3. Similarly, I’m adding api.atlassian.com as an external backend to the manifest.yml. The permissions look like this now:
permissions:
  scopes:
    - import:import-configuration:cmdb
    - read:servicedesk-request
    - read:cmdb-type:jira
    - write:cmdb-type:jira
    - read:cmdb-schema:jira
    - write:cmdb-schema:jira
  external:
    fetch:
      backend:
        - 'api.atlassian.com'
  1. Extend the importStatus function from src/resolvers/index.js with the following code to test reading and writing schemas and object types:
export const importStatus = async (context) => {
  // list schemas with read:cmdb-schema:jira permission
  console.log(`listing all schemas`)
  const schemaResponse = await api.asApp().requestJira(route`/jsm/assets/workspace/${context.workspaceId}/v1/objectschema/list`, {
    method: 'GET',
  });
  const schemas = await schemaResponse.json();
  console.log(JSON.stringify(schemas));

  // create new schema with write:cmdb-schema:jira permission
  console.log(`creating new schema`)
  const objectSchema = {
    "name": "My Schema",
    "objectSchemaKey": "TEST",
    "description": "The IT department schema"
  };
  const objectSchemaCreateResponse = await api.asApp().requestJira(route`/jsm/assets/workspace/${context.workspaceId}/v1/objectschema/create`, {
    method: 'POST',
    body: JSON.stringify(objectSchema),
    Accept: 'application/json',
    'Content-Type': 'application/json',
  });
  const objectSchemaCreateResult = await objectSchemaCreateResponse.json();
  console.log(JSON.stringify(objectSchemaCreateResult));

  // create new object type with write:cmdb-type:jira permission
  console.log(`creating new object type for schema=${context.schemaId}`);
  const objectType = {
    "name": "TestObject",
    "description": "<string>",
    "iconId": "13",
    "objectSchemaId": context.schemaId, // the schema where our app is configured as an import type
  };
  const objectTypeCreateResponse = await api.asApp().requestJira(route`/jsm/assets/workspace/${context.workspaceId}/v1/objecttype/create`, {
    method: 'POST',
    body: JSON.stringify(objectType),
    headers: {
      Accept: 'application/json',
      'Content-Type': 'application/json',
    },
  });
  const objectTypeResult = await objectTypeCreateResponse.json();
  console.log(JSON.stringify(objectTypeResult));

  // return status
};

Again, I’m just extending this importStatus function because it’s the easiest one to trigger and I just want to verify if my use case works.
4. After adjusting the code, I run forge deploy and forge install.
5. I create a new schema in “Assets”, open the schema, go to “schema configuration”, select “import” tab and configure my app as an import source.
6. Finally, I need to allow access to my app and reload the page to trigger the importStatus function.

Results

Unfortunately, if I check the logs in the Forge Developer Console, the 3 calls had the following results:

  1. :white_check_mark: GET /v1/objectschema/list works with read:cmdb-schema:jira permission
  2. :x: POST /v1/objectschema/create fails with write:cmdb-schema:jira permission with the error:

Sorry, you do not have permission to perform this action. PermissionInsightException: User ‘id’ didn’t have correct permission (admin).

  1. :x: POST /v1/objecttype/create fails with write:cmdb-type:jira permission with the error:

Sorry, you do not have permission to perform this action. PermissionInsightException: User ‘id’ didn’t have correct permission (modify) for object schema: ‘schema-id’

Note: schema-id relates to the schema that I have created in step 5.

Help?

I don’t really understand why this is not working properly as the docs are pretty clear for using Assets scopes (at the bottom of the linked page). Does anyone have any idea why this is not working? I’m using the newest Forge CLI version of course :wink:

1 Like
2

It seems there’s another way to at least create my own object types by leveraging the /v1/importsource/{importId}/mapping endpoint. This endpoint expects a schema + mapping definition and creates the object types. However, since this API endpoint creates the object types in the schema where the import is defined, it won’t work if an object type with the same name already exists (compare this discussion with EXTERNAL_ID_MISMATCH error).

That disappoints me a bit as I expected an app can provide a pre-defined schema to users so that a user does not need to setup a huge schema himself. With the limitations described above, it means a user has to create an empty schema first, then configure an import source by selecting our app, and then our app can “fill” the schema and define a mapping. It would be a much better experience in my opinion if a (Forge) app can create a schema (+ setup import settings) upon app installation and a user just needs to configure some details, e.g. provide connection details to the app.

1 Like