Manage Teamwork Graph CLI settings
Who can do this? |
You can control how people in your organization use the Teamwork Graph command-line (CLI) tool to access Atlassian data, and define what the CLI is allowed to do.
These settings don't install or remove Teamwork Graph CLI on anyone's device: they only govern how CLI access is permitted and under what rules.
How does Teamwork Graph CLI authentication work?
Access Teamwork Graph CLI settings
Go to Atlassian Administration. Select your organization if you have more than one. If you have access to only one site, it's selected automatically.
In the sidebar, select Rovo, then select Teamwork Graph CLI.
Configure permission scopes
Use write and delete access with caution
When write and delete access is enabled, users can create, edit, or delete objects in your Atlassian apps, such as Jira work items and Confluence pages, using the CLI.
Enable write and delete access only for the toolsets your organization genuinely needs.
Use permission scopes to control what the CLI can do across your connected apps and tools. This applies only to OAuth 2.1 and does not impact scoped tokens used for Bitbucket.
For each permission type (read, write, and delete), you can set the scope to:
Allow all: The CLI can use this permission with all current and future tools.
Allow selected: The CLI can use this permission with only the tools you choose.
Allow none: The CLI is blocked from using this permission with any tools.
To configure permission scopes:
Navigate to the Teamwork Graph CLI settings.
Under Permissions, find the permission type you want to configure.
In the Scope column, select Allow all, Allow selected, or Allow none.
For Allow selected, choose the individual tools to allow.
Repeat for any other permission types.
[保存] を選択します。
After you save, any new and existing CLI sessions must follow the updated permissions. Commands that don't match an allowed scope are blocked.
You’ll be notified if the scope is restricted or if your OAuth token doesn’t cover the request.
How Teamwork Graph CLI shows up in audit logs
TWG CLI actions are visible in Atlassian audit logs. Go to Atlassian Administration, then Insights, then Audit log.
The captured event details include the following fields:
Name of the command (for example,
jira workitem get)Family of the command (for example,
jira.workitem)Type of command (for example, read/write/delete)
Status code of the command call
Invocation source (user/agent)
Scopes used to make the command call
TWG CLI version used in the command call
Trace ID for debugging
Any command run by a user who's logged in will send an event to the audit log. Audit logs are organized in Atlassian Administration by the user’s org ID.
Logs can be filtered by:
Activity dropdown. Select Invoked TWG CLI command to view all Teamwork Graph CLI logs.
Command name (such as
jira workitem get)Actor, which will always be the user’s name, not an AI agent.
Each entry contains the full JSON event and associated event details.
IP allowlist behavior
The Teamwork Graph CLI respects all the IP allowlists configured for your organization.
この内容はお役に立ちましたか?