Find groups used in Jira Cloud permission schemes with REST API and Python
Platform Notice: Cloud Only - This article only applies to Atlassian products on the cloud platform.
Summary
Currently, Jira Cloud's user interface does not allow you to check whether a specific group is used in a permission scheme. Please refer to feature request JRACLOUD-71967 for more details.
Jira Administrators can work around this limitation using Jira's REST API in combination with Python to find a specific group in Project permission schemes.
This is not the only place that groups might be used within Jira. Other objects include Global Permissions, Filter shares, Filter subscriptions, Dashboard permissions, and more.
Solution
Jira admins can make use of the following REST API endpoints:
Get all permissions schemes: https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-permission-schemes/#api-rest-api-3-permissionscheme-get
Get permission scheme grant: https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-permission-schemes/#api-rest-api-3-permissionscheme-schemeid-permission-get
Note
The script below is beyond the scope of Atlassian support. We do not officially support providing scripts or maintaining them as per our support offerings. Any request to assist with running or debugging this script is beyond Atlassian support scope.This is provided as a workaround for the original feature request. For any updates on the ticket, please follow here: JRACLOUD-71967.
By retrieving all data from these endpoints, we can compare granted permissions against a given group name. This determines if a group was granted any permissions for any schemes in the Jira site.
Save the following Python code snippet as a file with .py extension.
Replace the <group_name> with the one you are interested in searching for in permission schemes
Replace <jira_url> with your site name
For example,
https://<your_site>.atlassian.net
Replace email with your email ID
Required permissions can be verified within the API endpoint documentation
Replace <api_token> with your API token
For instructions to generate a token, please refer to: Create API token
python script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
import requests
group_name = "m-users"
jira_url = "https://<sitename>.atlassian.net"
auth = ("email", "<api_token>")
# Get all permission schemes
permission_schemes_url = jira_url + "/rest/api/3/permissionscheme?expand=group"
response = requests.get(permission_schemes_url, auth=auth)
permission_schemes = response.json()
# Iterate over all permission schemes
for permission_scheme in permission_schemes["permissionSchemes"]:
# Get all permissions for a permission scheme
permission_url = jira_url + "/rest/api/3/permissionscheme/{}/permission?expand=group".format(permission_scheme["id"])
response = requests.get(permission_url, auth=auth)
permissions = response.json()
#print(permissions)
# Check if the specific group is used in the permission scheme
for permission in permissions["permissions"]:
#try:
if "group" in permission ["holder"]:
if permission["holder"]["parameter"] == group_name:
print("Permission scheme '{}' uses group '{}'".format(permission_scheme["name"], group_name))
break
#except KeyError:
# print("key error in permission")
Sample output is below. The Python script prints all the permission schemes where a particular group is used.
Output
1
2
3
% python3 group.py
Permission scheme 'Copy of Default Permission Scheme' uses group 'MY_GROUP'
Permission scheme 'Default Permission Scheme' uses group 'MY_GROUP'Was this helpful?