Find groups used in Jira Cloud permission schemes with REST API and Python

Platform Notice: Cloud Only - This article only applies to Atlassian apps on the cloud platform.

Summary

Currently, Jira Cloud's user interface does not allow you to check whether a specific group is used in a permission scheme.

Jira Administrators can work around this limitation using Jira's REST API in combination with Python to find a specific group in Project permission schemes. 

This is a workaround for JRACLOUD-71967 (the Jira UI can't show whether a group is used in a permission scheme). The script is beyond Atlassian Support's scope — Support can't run or debug it.

Also note: permission schemes are not the only place groups are used — Global Permissions, Filter shares/subscriptions, Dashboard permissions, and more also reference groups.

Solution

Jira admins can make use of the following REST API endpoints:

Note

The script below is beyond the scope of Atlassian support. We do not officially support providing scripts or maintaining them as per our support offerings. Any request to assist with running or debugging this script is beyond Atlassian support scope.This is provided as a workaround for the original feature request. For any updates on the ticket, please follow here: JRACLOUD-71967.

By retrieving all data from these endpoints, we can compare granted permissions against a given group name. This determines whether a group has been granted permissions for any schemes on the Jira site.

Save the following Python code snippet as a file with .py extension.

Before you run it - prerequisites list

  • Jira Administrator access.

  • An API token for Basic auth.

  • Replace in the script: <group_name>, <jira_url> (https://<your_site>.atlassian.net), your email, and <api_token>.

  1. Replace the <group_name> with the one you are interested in searching for in permission schemes

  2. Replace <jira_url> with your site name

    1. For example, https://<your_site>.atlassian.net

  3. Replace email with your email ID

    1. Required permissions can be verified within the API endpoint documentation

  4. Replace <api_token> with your API token

    1. For instructions to generate a token, please refer to: Create API token

python script

import requests group_name = "m-users" jira_url = "https://<sitename>.atlassian.net" auth = ("email", "<api_token>") # Get all permission schemes permission_schemes_url = jira_url + "/rest/api/3/permissionscheme?expand=group" response = requests.get(permission_schemes_url, auth=auth) permission_schemes = response.json() # Iterate over all permission schemes for permission_scheme in permission_schemes["permissionSchemes"]: # Get all permissions for a permission scheme permission_url = jira_url + "/rest/api/3/permissionscheme/{}/permission?expand=group".format(permission_scheme["id"]) response = requests.get(permission_url, auth=auth) permissions = response.json() #print(permissions) # Check if the specific group is used in the permission scheme for permission in permissions["permissions"]: #try: if "group" in permission ["holder"]: if permission["holder"]["parameter"] == group_name: print("Permission scheme '{}' uses group '{}'".format(permission_scheme["name"], group_name)) break #except KeyError: # print("key error in permission")

Sample output is below. The Python script prints all permission schemes that use a particular group.

Output

% python3 group.py Permission scheme 'Copy of Default Permission Scheme' uses group 'MY_GROUP' Permission scheme 'Default Permission Scheme' uses group 'MY_GROUP'

Verification steps

  • The script prints each permission scheme that uses the group (e.g. "Permission scheme 'Default Permission Scheme' uses group 'MY_GROUP'").

  • If nothing prints, the group isn't granted in any permission scheme — remember to also check the other group-using objects listed above.

Updated on June 29, 2026

Still need help?

The Atlassian Community is here for you.