Some Jira cloud API functionality is not accessible to cloud apps, or is restricted by the inability of a cloud app from being included in the site-admins role.

To workaround this limitation, JEMHC requires a pre-existing Jira user with appropriate permissions, products and site access to be configured as a "workaround" user, JEMHC authenticates as this user to perform user lookup API requests that cannot be executed by the JEMHC app user.

In order to retain functionality, these requests are invoked as a chosen Jira user (Known as asUser requests), instead of using the cloud app (Often called asApp requests).

When selecting a valid workaround user, the User accountId is saved.

When the workaround user is required to invoke a workaround API that the JEMHCloud app cannot request, an auth token for the workaround user is requested and stored in Atlassian servers.

Auth tokens for user impersonation are stored in Atlassian servers (Forge KVS). The selected User account ID is stored securely with the rest of your JEMHC configuration.

The token is used for Jira API operations that require elevated access, such as site-admins role, which the cloud app doesn’t have and cannot be granted, resulting in APIs not usable by cloud Apps (For example: https://jira.atlassian.com/browse/JRACLOUD-97058).

The following features use Workarounds offline impersonation authentication when the JEMHCloud app is unable to:

• user search by email address

  • If the workarounds > User Lookup > User Lookup Authentication Strategy configuration is set to Use Workaround configuration, user lookup is made as the workaround user.

• if user auto-creation is configured, to create Jira users, and add to configured user groups.

You will want to use a user that has admin privileges and has been allocated the Browse users and groups permission within Global Permissions. See https://thepluginpeople.atlassian.net/wiki/spaces/JEMHC/pages/3741450243/Workarounds#Allocating-the-global-BROWSE_USER-permission-(so-JEMHC-can-lookup-users-by-their-email-address) and https://thepluginpeople.atlassian.net/wiki/spaces/JEMHC/pages/3741450243/Workarounds#Allocating-the-global-ADMINISTER-permission-(so-JEMHC-can-create-users) for more information.

First, navigate to JEMHC > Workarounds > Admin Operations and use the User Picker to select the workaround user you wish to use.

Open

Press ‘Save’ to confirm changes. If the validation is successful, the user will be saved.

Open

An error can be shown if the validation fails. This may be due to the JEMHCloud app version being outdated (requiring a major version update), or if the selected user does not have the correct product access or permissions.

In order for the Workaround user to be able to check if a user exists, they need to be allocated the Browse users and groups Global Permission. This is done within System > Security > Global Permissions, at the bottom of the screen there is a section to Grant Permission, pick the Browse users and groups, and nominate a restricted membership group, that your workaround user will be a member of:

Open

In order for JEMHC to be able to create users, the global ADMINISTER permission is required to be held by the workaround user. Global Permissions are only allocated through groups:

1. Navigate to System settings

2. Open

   

   Check the “Administer Jira” Permission groups, the workaround user must be and remain a member of this group to prevent runtime failure to create users.