This page lists all permissions that our app requires across Jira and Microsoft Teams. A short explanation why we need the permission is also given.
We only use the data to provide app features. We try to request as little permissions as possible, but unfortunately, some permissions are too broad. We are constantly working with Atlassian and Microsoft to improve this.
You may also check out our Microsoft publisher attestation of the app: Publisher Attestation
Jira Cloud app
When installing the app on Jira Cloud, it will ask for the following permissions:
These are basic permissions for every app. We want to create tickets for the user so we need to read and write to Jira
This permission allows us to impersonate the user. This is necessary, because when fetching issue information from the system, it allows us to respect issue & project permissions easily, by having Jira take care of it. In addition, when an issue is created, the author should be the user itself, not the Teams app - impersonation makes this possible.
This broad administrative permission is unfortunately required from a security perspective. To restrict editing app settings to Jira administrators, we need to determine if the user is actually an administrator - to get this information, the Atlassian APIs require itself administrative permissions. There is a bug open here: https://ecosystem.atlassian.net/browse/ACJIRA-2177
If you would like to know more, please get in touch!
Teams app / Microsoft account
The Teams app is divided into two parts, some permissions come from the Teams app itself, other permissions will be granted by every user (delegated).
Delegated permissions are granted when a single user logs in from Jira with their own account.
Basic permission to be able to log the user in.
This permission is required, so we don’t need to have the user login again every day.
This permission is used to view and post new chat messages from Jira.
This permission is used to show a list of the users own channels in Jira
This permission is used (in combination with the one above) to determine the teams and channels of the user, to allow them to be picked.
This permission is used to send channel messages on behalf of the user from Jira.
This permission is required to look up users in AzureAD. This is necessary to provide user lookups (e.g. @-mentions) from Jira.
Teams app permissions
The Teams app permissions are granted when installing the bot/app in Microsoft Teams. Even though the list below looks fairly long, though most of the permissions are quite basic and the same for all apps that include a bot.
Please note, that permissions like “Read messages in a Team” only apply to the team the app/bot is installed in. Therefore, you have a team with confidential data you don’t want to expose to Jira, the app won’t have access, even if it’s installed in other teams.
Basic bot permission. If you @-mention the bot, we will receive this message.
Basic bot permission. Allows the bot to send messages to a user (currently only the welcome message).
Basic bot permission. Used to send personalized messages (e.g. Hi <first name>)
Basic bot permission. If you @-mention the bot in a channel, we will receive that message.
Basic bot permission. Allows the bot to proactively post in a channel.
Allows the bot to check team/channel membership of users. We use this to secure access to certain APIs.
Basic permission to read teams settings (e.g. notification preferences).
Same as the delegated permission above, allows the bot to retrieve a list of channels where it is installed in. This is used to provide user guidance in Jira.
Allows the bot to read messages from this team. Used for features like “Create issue” to default the message text.
Same as access the teams “roster”, used to looking up team membership.
Basic bot permission.