Service accounts can't fetch issues with JQL if the "Browse Project" permissions are restricted at Project level

XMLWordPrintable

    • 1

      Issue Summary

      Service accounts can't fetch issues with JQL if the "Browse Project" permissions are restricted at Project level

      Steps to Reproduce

      1. Install Jira version 11.1.x or later versions
        1. Create a service account Jira administration > user management > service accounts https://confluence.atlassian.com/enterprise/how-service-accounts-work-in-data-center-1627556033.html
        2. grant then with the READ and READ ALL access and proceed to next
        3. It provides client ID and client secret
        4. now try generating access token as mentioned in this documentation :https://confluence.atlassian.com/enterprise/create-a-service-account-via-rest-api-1627556048.html 
          curl --location '<Jira-base-Url>/rest/oauth2/latest/token' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=f176c824a3066350feb93c64c8aba36' \
  --data-urlencode 'client_secret=0161221f65043e572bc7107be3dd765022e61353b2be115977965b8d9596fb2' \
  --data-urlencode 'grant_type=client_credentials' \
  --data-urlencode 'scope=READ'

          Sample output:

          {"access_token":"eyJhbGciOiJIUzI1NiJ9.eyJpZCI6ImEyYmRmZDZjYjM5ODZkMWNhYmJlNTZlYTUxMYzBiIn0.MpTiP4E-bx9BXVnzv0Hfzk-6-GQqAn0hg_4GXmFlzsY","token_type":"bearer","expires_in":3600,"scope":"READ"}%
      1. Now, restrict the "Browse Project" permission only to specific group and remove the "Browse Projects" that are granted to: "Application access (any logged-in user)”
      2. Use the OAuth access token to run JQLs like below 
        curl -s -H "Authorization: Bearer eyJhbGciOiJIUzIiJ9.eyJpZCI6ImEyYmRmZDZjYjM5ODZkMWNhYmJlNTZlYTUxMGQyYzBiIn0.MpTiPE-bx9BXVnzv0Hfzk-6-GQqAn0hg_4GXmFlzsY" \
  -H "Accept: application/json" \
  "<Jira-base-URL>/rest/api/2/search?jql=project%20%3D%20KANBAN"
      Concerns
      • This effectively requires us to grant browse access to all users for the project.
      • We can’t add the service account to any project role/permission because it isn’t a licensed user.

      Expected Results

      As the service account not tied to any user or user account neither possible to grant them permissions specifically for these accounts the JQL should work without issues.

      Actual Results

      It returns no issues and the output will be displayed like below

      {"expand":null,"startAt":0,"maxResults":50,"total":0,"maxResultWindow":null,"issues":[],"warningMessages":null,"names":null,"schema":null}%

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

              Assignee:
              Steve Watson
              Reporter:
              Devisree Gedda
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: