Workarounds
API tokens
The app initially lacks access to certain Jira Cloud API functionalities because it does not request the ADMIN app scope during installation. Rather than ask for this scope, the app instead offers the ability for a user API token to be securely stored and used when such functionality is needed.
When is the token used?
The token is used for Jira API operations that require the ADMIN app scope grant (which the app doesn’t have):
user search by email address
inbound email processing
if user auto-creation is configured, to create Jira users and add them to user groups
if customer auto-creation is configured, to create a portal customer
outbound notifications
if user group notification is configured, to search for the members of a given group
if a notification mapping script adds a user group recipient
if JSM attachments are added in comments, used to retrieve comment attachment visibility (allowing exclusion of internal attachments for Customer/Email only notification recipients).
Some Jira cloud API functionality is not accessible to cloud apps, such as the ability to lookup user's by their email address (AC-1014). To workaround this limitation, JEMHC requires a pre-existing Jira user with appropriate permissions to be configured as a "workaround" user, JEMHC authenticates as this user to perform user lookup API requests that cannot be executed by the JEMHC app user.
Configuring a JEMHC Workaround User
Choosing an appropriate user
You will want to use a user that has admin privileges and has been allocated the Browse users and groups permission within Global Permissions. See Workarounds | Allocating the global BROWSE_USER permission (so JEMHC can lookup users by thei... and Workarounds | Allocating the global ADMINISTER permission (so JEMHC can create users) for more information.
Generating an API token
API tokens can have a maximum lifetime of a year. Once they expire, you will need to create a new one. Tokens are user specific, which means that if you change the Workaround User then you would need to generate a new API token for that user.
Click API Tokens (May need to access Account Security Settings first)
Click Create API Token
A dialogue window will appear, enter a descriptive name for the API token in the Label field
Click Create. An API Token will be generated and will then appear, press Copy to copy the token
Add the token in JEMHC
Once the above information has been gathered, you will then need to go to JEMHC > Workarounds > Admin Operations and enter the following information:
The Jira user’s E-Mail address or Username within the E-Mail/Username field.
The API Token that was generated for that Jira user within the API Token field.
Allocating the global BROWSE_USER permission (so JEMHC can lookup users by their email address)
In order for the Workaround user to be able to check if a user exists, they need to be allocated the Browse users and groups Global Permission. This is done within System > Security > Global Permissions, at the bottom of the screen there is a section to Grant Permission, pick the Browse users and groups, and nominate a restricted membership group, that your workaround user will be a member of:
Allocating the global ADMINISTER permission (so JEMHC can create users)
In order for JEMHC to be able to create users, the global ADMINISTER permission is required to be held by the workaround user. Global Permissions are only allocated through groups:
Navigate to System settings
Check the “Administer Jira” Permission groups, the workaround user must be and remain a member of this group to prevent runtime failure to create users.
