API tokens

The app initially lacks access to certain Jira Cloud API functionalities because it does not request the ADMIN app scope during installation. Rather than ask for this scope, the app instead offers the ability for a user API token to be securely stored and used when such functionality is needed.

When is the token used?

The token is used for API operations that require the ADMIN app scope grant (which the app doesn’t have):

user email
inbound email processing
- if user auto-creation is configured, to create Jira users and add them to user groups
- if customer auto-creation is configured, to create a portal customer
outbound notfications
- if user group notification is configured, to search for the members of a given group
- if a notification mapping script adds a user group recipient
- if JSM attachments are added in comments, used to retrieve comment attachment visibility (allowing exclusion of internal attachments for Customer/Email only notification recipients).

such as the ability to lookup user's by their email address (AC-1014). To workaround this limitation, JEMHC requires a pre-existing Jira user with appropriate permissions to be configured as a "workaround" user, JEMHC authenticates as this user to perform user lookup API requests that cannot be executed by the JEMHC app user.

Configuring a JEMHC Workaround User

To configure the Workaround User you will need the following information:

A Jira User that has admin privileges and has been allocated the Browse users and groups permission within Global Permissions. Steps to grant the Browse User and Groups permission are highlighted under the Allocating the Global BROWSE_USER permission heading.
The API token for that Jira User. Steps to generate the API token are highlighted under the How to Generate an API Token heading.

Once the above information has been gathered, you will then need to go to JEMHC > Workarounds > Admin Operations and enter the following information:

The Jira User’s E-Mail address or Username within the E-Mail/Username field.
The API Token that was generated for that Jira User within the API Token field.

Enterprise Mail Handler for Jira Cloud (JEMHC) > Workarounds > Screenshot from 2023-02-21 13-57-19.png

Allocating the Global BROWSE_USER permission (so JEMHC can lookup users by their email address)

In order for the Workaround user to be able to check if a user exists, they need to be allocated the Browse users and groups Global Permission. This is done within System > Security > Global Permissions, at the bottom of the screen there is a section to Grant Permission, pick the Browse users and groups, and nominate a restricted membership group, that your workaround user will be a member of:

Enterprise Mail Handler for Jira Cloud (JEMHC) > Workarounds > Grant_Browse_User.png

Allocating the Global ADMINISTER permission (so JEMHC can create users)

In order for JEMHC to be able to create users, the global ADMINISTER permission is required to be held by the workaround user. Global Permissions are only allocated through groups:

Navigate to System settings
Check the “Administer Jira” Permission groups, the workaround user must be and remain a member of this group to prevent runtime failure to create users.

How to Generate an API Token

API tokens last a year and then expire, you will need to redo this every year.

API Tokens are user specific, which means that if you change the Workaround User then you would need to generate a new API token for that user.

Login to https://id.atlassian.com/manage/api-tokens
Click API Tokens (May need to access Account Security Settings first)

Enterprise Mail Handler for Jira Cloud (JEMHC) > Workarounds > Access_Api_Token_page.png

Click Create API Token
A dialogue window will appear, enter a descriptive name for the API token in the Label field
Click Create
An API Token will be generated and will then appear, press Copy to copy the token