Jira Cloud app
When installing the app on Jira Cloud, it will ask for five authorizations
1. Read & Write Data
These are basic permissions for every app. The app creates tickets, add comments, add properties etc.
2. Delete Data
Some modifications require delete permissions.
3. Act on a user's behalf
This permission allows the app to impersonate the user. This is necessary when fetching issue information from the system. It easily allows to respect issue & project permissions, by having Jira taking care of it. In addition, when an issue is created, the author should be the user itself, not the app - impersonation makes this possible.
4. Administer the host application, Administer Jira projects
This general administrative permission is required for some specific checks and to read some central configurations. At this point we do not modify any admin settings.
5. View email addresses
At many occasions the app matches the Jira user with the Microsoft account. This requires the email address of the Jira users that requires an additional permission.
Jira Datacenter
Jira Datacenter does not know the concept of scopes. The app always has full access.
Additionally, the app requires an OAuth1.0a login for each user that grants the same permissions as the user.
Microsoft Graph
Delegated Permissions
Delegated permissions for Microsoft graph are granted, when a single user logs themselves in from Jira with their own account. The app will not request all permissions at once, but only the ones necessary for the feature.
E.g. when working with Microsoft Teams, it will request chat & channel specific permissions. When using the meetings feature, it will request calendar specific permissions.
General
Sign in and read user profile (User.Read, profile)
Basic permission to be able to log the user in.
Maintain access to data you have given it access to (offline_access)
This permission is required, so the user does not need to login again every day.
Read all users' basic profiles (User.ReadBasic.All)
This permission is required to look up users in AzureAD. This is necessary to provide user lookups (e.g. @-mentions) from Jira.
Read all user mailbox settings (MailboxSettings.Read)
Used to get Microsoft-related settings like timezones, working hours etc.
Teams
Read and write user chat messages (Chat.ReadWrite)
This permission is used to view and post new chat messages from Jira.
Read the names and descriptions of channels (Channel.ReadBasic.All)
This permission is used to show a list of the users own (Microsoft Teams) channels in Jira.
Read the names and descriptions of teams(Team.ReadBasic.All)
This permission is used (in combination with the one above) to determine the teams and channels of the user, to allow them to be picked.
Send channel messages (ChannelMessage.Send)
This permission is used to send (MS Teams) channel messages on behalf of the user from Jira.
Read all app catalogs (AppCatalog.Read.All)
Used to determine the app id of the app within the AppCatalog. (Is always different for the JSM customer app)
Manage Teams apps for all chats (TeamsAppInstallation.ReadWriteForChat)
Automatically adding the Teams bot to the chat to have access to features like (bot) notifications.
Create tabs in Microsoft Teams (TeamsTab.Create)
Used to create a tab for the Jira issue in a Teams chat.
Emails
Read and write user and shared mail (Mail.ReadWrite.Shared)
Used to receive/get and display emails for the user and shared mailboxes.
Send mail on behalf of others (Mail.Send.Shared)
Used to send emails for the user and shared mailboxes the user has access to.
Calendar & meetings
Read and write calendars in all mailboxes (Calendars.ReadWrite)
This permission is used to display calendars and to add events.
Read and write user and shared calendars (Calendars.ReadWrite.Shared)
Depending on the use case, the app might also need access to shared calendars.
Read and create user's online meetings (OnlineMeetings.ReadWrite)
Allows us to create MS Teams join-url's and dial-in data for created meetings.
Optional scope for Calendar & meetings
Read all company places (Place.Read.All)
Allows to read company places (conference rooms and room lists) for calendar events.
Optional scopes for Calendar
Read and write all groups (Group.ReadWrite.All) optional calendar
Allows read all group properties and memberships.
Get a list of all teams (Team.ReadBasic.All) optional calendar
To Do
Create, read, update, and delete user's tasks and task lists (Tasks.ReadWrite)
Used for the To Do sync (Jira <> To Do).
RSC permissions
The Teams app permissions are granted when installing the bot/app in Microsoft Teams.
Even though the list below looks fairly long, most of the permissions are quite basic and the same for all apps that include a bot.
Please note, that permissions like “Read messages in a Team” only apply to the team the app/bot is installed in. Therefore, you have a team with confidential data you don’t want to expose to Jira, the app won’t have access, even if it’s installed in other teams.
Receive messages and data that I provide to it
Basic bot permission. If you @-mention the bot, we will receive this message.
Send me messages and notifications
Basic bot permission. Allows the bot to send messages to a user (currently only the welcome message).
Access my profile information such as my name, email address, company name, and preferred language
Basic bot permission. Used to send personalized messages (e.g. Hi <first name>)
Receive messages and data that team members provide to it in a channel
Basic bot permission. If you @-mention the bot in a channel, we will receive that message.
Send messages and notifications in a channel
Basic bot permission. Allows the bot to proactively post in a channel.
Access this team's information such as team name, channel list and roster (including team member's names and email addresses) - and use this to contact them
Allows the bot to check team/channel membership of users. We use this to secure access to certain APIs.
Read this team's settings
Basic permission to read teams settings (e.g. notification preferences).
Read the names, descriptions, and settings of this team’s channels
Same as the delegated permission above, allows the bot to retrieve a list of channels where it is installed in. This is used to provide user guidance in Jira.
Read messages in this team
Allows the bot to read messages from this team. Used for features like “Create issue” to default the message text.
Read this group's members
Same as access the teams “roster”, used to looking up team membership.
Maintain access to the team’s data
Admin Permissions
All admin permissions are optional and add more features if granted.
Read all company places (Place.Read.All)
If granted by the admin, the meeting room picker offers better results.
Modern Office add-in
Installing the app via the Microsoft Office store (AppSource) will require access to your mailbox.
This is necessary because we don’t only work with the current email, but also show related issues based on the whole email conversation.
⚠️ We only use the data to provide the app features.
⚠️ We only access them when using the add-in and we never store your personal data on an external server (except for Jira itself).
