Guide on explaining how Automation administration permissions work

Summary

Automation for Jira gives possibilities to Jira global administrators to restrict project administrators' powers so they can manage automation rules only on projects they are supposed to. Furthermore, there are options to further restrict rule administration for project administrators who are members of specific groups. There is an official documentation article explaining introductions of permissions, but this article focuses deeper on the differences between permission levels.

This article explains the differences in Automation rules administration scope for global and specific project administrators and addresses known issues related to this topic.

Solution

Global administrators

Global administrator is a user who has the "Jira Administrators" global permission (System Administration > System > Security > Global Permissions page).

Global administrators can do the following related to Automation:

• Manage global and project rules. This includes new rules and rules created from templates.

• Change global Automation configuration

• Restrict project administrators on managing (creating, editing) project rules (and if they need to be members of specific groups)

• Other actions: review audit log, copy rules, view performance insights, manage secret keys

Project administrators

Project administrator is a user who has permission to administer the project: the user is a member of the project role that has "Administer Projects" permission (Project settings > Permissions page).

Project administrators can do the following related to Automation:

• Manage (create, edit) rules where they have permission to do so (granted by Global administrators). This includes new rules and rules created from templates.

• View rules (read-only access) on their projects where they don't have permissions to create and edit rules

• Other actions: review audit log, copy rules, view performance insights, manage secret keys.

Note that users who are project administrators without being global administrators will not be able to change the scope of automation rules. Only Global Administrators will be given the option to change the scope of an automation rule, as it needs to be done via the Global Automation Configuration. As a result:

• If a Project Administrator configures a rule from the Project Administration page, there will be no link allowing the user to change the rule scope:

• However, if a Global Administrator configures a rule from the Project Administration page, the link "Scope can only be modified in the global administration" will be shown in the UI:

Restricting project administrators on managing project rules

Global administrators can empower project administrators to manage Automation rules. This can be done in the following way - Log in as a Jira Admin >> System >> Automation Rules >> Click on the three dots "..."next to Create rule button:

• All project administrators can manage rules for projects they are administrators on:

• Only project administrators who are members of selected groups can manage rules for projects they are administrators on.

  • For example, only administrators who are members of "a4j" group can manage rules:

Known issues

Getting spinning wheel and "403 Forbidden" error when trying to create rules from template

Under specific circumstances, global or project admins may run into "spinning wheel" situation when they are trying to create a rule from templates:

This can happen under the circumstances described below. The following diagram shows which permissions are checked and when user has or has not proper permission (derived from source code):

Jira administrators / Jira System administrators cannot create rules from template

Jira administrators / Jira System administrators cannot create rules from template if "Allow project administrators to manage project rules" is unchecked. This is tracked on this bug ticket: JIRAAUTOSERVER-1008 -

They can create new project rules though (only not from templates).

Project administrators do not have expected permissions required to manage project Automation rules

Project administrators do not have expected permissions required to manage project Automation rules. One of the following can apply:

• Project administrator is in a project role that does not have "Administer project" permission assigned

  • Solution: make sure that project role designated for project administrator has "Administer project" permission assigned on Project settings > Permissions page.

• Project administrator is not a member of any selected group on the Automation global configuration page

  • Solution: make sure the project administrator is a member of at least one selected group on the Automation global configuration page (see section "Restricting project administrators on managing project rules")

There is a bug ticket, raised to address proper messaging instead of getting spinning wheel while trying to create rules from templates: JIRAAUTOSERVER-1011

Providing data to Support

If you are still experiencing a problem related Automation permissions, and if this article did not help you solve it, please reach out to Atlassian Support via this link.

To help the Atlassian support team investigate the issue faster, you can follow the steps below and attach all the collected data to the support ticket raised with Atlassian:

• Log in to Jira as a Jira administrator, then open the following link in another browser tab:

  https://BASE_URL/rest/cb-automation/1/configuration/property . Copy the resulting content to the support ticket.

• Collect and upload the following screenshots:

  • Screenshot of project settings > Permissions page, "Administer projects" permission

  • Screenshot of project settings > Users and roles page

  • Screenshot of Automation global configuration (Jira system settings > Automation rules > ... > Global configuration)

• Generate a new Support zip and upload it to the ticket