Find groups used in Jira Cloud permission schemes with REST API and Python
Platform Notice: Cloud Only - This article only applies to Atlassian apps on the cloud platform.
Summary
Currently, Jira Cloud's user interface does not allow you to check whether a specific group is used in a permission scheme.
Jira Administrators can work around this limitation using Jira's REST API in combination with Python to find a specific group in Project permission schemes.
This is a workaround for JRACLOUD-71967 (the Jira UI can't show whether a group is used in a permission scheme). The script is beyond Atlassian Support's scope — Support can't run or debug it.
Also note: permission schemes are not the only place groups are used — Global Permissions, Filter shares/subscriptions, Dashboard permissions, and more also reference groups.
Solution
Jira admins can make use of the following REST API endpoints:
Get all permissions schemes: https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-permission-schemes/#api-rest-api-3-permissionscheme-get
Get permission scheme grant: https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-permission-schemes/#api-rest-api-3-permissionscheme-schemeid-permission-get
Note
The script below is beyond the scope of Atlassian support. We do not officially support providing scripts or maintaining them as per our support offerings. Any request to assist with running or debugging this script is beyond Atlassian support scope.This is provided as a workaround for the original feature request. For any updates on the ticket, please follow here: JRACLOUD-71967.
By retrieving all data from these endpoints, we can compare granted permissions against a given group name. This determines whether a group has been granted permissions for any schemes on the Jira site.
Save the following Python code snippet as a file with .py extension.
Before you run it - prerequisites list
Jira Administrator access.
An API token for Basic auth.
Replace in the script:
<group_name>,<jira_url>(https://<your_site>.atlassian.net), your email, and<api_token>.
Replace the <group_name> with the one you are interested in searching for in permission schemes
Replace <jira_url> with your site name
For example,
https://<your_site>.atlassian.net
Replace email with your email ID
Required permissions can be verified within the API endpoint documentation
Replace <api_token> with your API token
For instructions to generate a token, please refer to: Create API token
python script
import requests
group_name = "m-users"
jira_url = "https://<sitename>.atlassian.net"
auth = ("email", "<api_token>")
# Get all permission schemes
permission_schemes_url = jira_url + "/rest/api/3/permissionscheme?expand=group"
response = requests.get(permission_schemes_url, auth=auth)
permission_schemes = response.json()
# Iterate over all permission schemes
for permission_scheme in permission_schemes["permissionSchemes"]:
# Get all permissions for a permission scheme
permission_url = jira_url + "/rest/api/3/permissionscheme/{}/permission?expand=group".format(permission_scheme["id"])
response = requests.get(permission_url, auth=auth)
permissions = response.json()
#print(permissions)
# Check if the specific group is used in the permission scheme
for permission in permissions["permissions"]:
#try:
if "group" in permission ["holder"]:
if permission["holder"]["parameter"] == group_name:
print("Permission scheme '{}' uses group '{}'".format(permission_scheme["name"], group_name))
break
#except KeyError:
# print("key error in permission")
Sample output is below. The Python script prints all permission schemes that use a particular group.
Output
% python3 group.py
Permission scheme 'Copy of Default Permission Scheme' uses group 'MY_GROUP'
Permission scheme 'Default Permission Scheme' uses group 'MY_GROUP'Verification steps
The script prints each permission scheme that uses the group (e.g. "Permission scheme 'Default Permission Scheme' uses group 'MY_GROUP'").
If nothing prints, the group isn't granted in any permission scheme — remember to also check the other group-using objects listed above.
Was this helpful?