Privileged user API token removal

1 Summary of changes
2 Am I affected?
3 How to Migrate?
4 How will I know I have completed migration?
5 What happens if I don’t migrate?

Summary of changes

The existing Privileged user functionality allows requests to be made using an API token, that cannot normally be performed by a Space admin. For example, ‘create group’ requests cannot be made when logged in as a space admin, so the API token is used on behalf of the logged in user. (See Privileged user configuration for more information).

In order to increase security, we are removing the ability to perform Privileged user requests using an API token - a new, more secure, user impersonation functionality is being added to continue support for these requests. Once configured, the new user impersonation will replace the old API token behaviour.

The existing API token behaviour will continue to work up until Monday 8th December 2025.

After this date, customers yet to re-configure before Monday 8th December 2025 will no longer be able to perform Space admin operations requiring the privileged user.

Am I affected?

All CSUMCloud customers are required to migrate from privileged user API credentials, to the new user impersonation configuration.

During CSUMCloud setup, a privileged user email and API token were required to perform certain requests when creating groups or altering group membership. Now, the user picker will store the Atlassian user account ID used to perform user impersonation requests on behalf of the chosen user.

Note: Existing configuration storing an Email and API token cannot be migrated, you will still need to re-configure a new user to save the privileged user account ID.

How to Migrate?

Please navigate to the System Admin configuration System Admin Documentation | Accessing CSUM App Configuration.

On the privileged user page, you will see new alert banners regarding the privileged user:

Alongside this, there will be a new user picker field:

Begin searching for your privileged user and select an account that has the relevant Site admin permissions, as per: https://thepluginpeople.atlassian.net/wiki/x/AQBNAQE

Once selected, the user will be validated and their account ID will be stored. After this step, requests will be made using offline user impersonation, using the accountID of the selected user. The historic Email/API token combination will be removed.

How will I know I have completed migration?

After selecting a user that has the correct permissions, the validation will remove the “privileged user” banner alerts:

What happens if I don’t migrate?

After the Monday 8th December 2025 removal date, any usages of the old API token privileged user configuration will no longer be supported.

Customers yet to select a new user in the privileged user picker will need to do so, by following the new privileged user configuration documentation: Privileged user configuration.

Space Admin configuration of groups and users cannot be performed until this is re-configured, as per Privileged User Permissions | What happens if the Privileged User lacks the relevant permissions?

If you have any queries or issues during the upgrade process, you can reach out to us through our support channels, or email support@thepluginpeople.com.