Scopes Justification

Below we explain why the app requires each of the permissions (scopes) declared in manifest.yml. The descriptions are concise and refer to real usage in the code and the available gadgets.

  • storage:app β€” Persist app configuration, cached/aggregated data, and large tree data split into chunks in Forge Storage/KVS.

  • read:user-configuration:jira β€” Read the current user’s Jira preferences (e.g., locale) to properly render texts.

  • read:avatar:jira β€” Display user/project avatars in UI components that render users.

  • read:project-category:jira β€” Potentially used by the shared API client when resolving project metadata (categories) for configuration screens.

  • read:project:jira β€” Read project metadata when building configuration UIs and issue creation metadata.

  • read:field-configuration:jira β€” Read custom field configuration for a specific field in a project/issue type.

  • read:field:jira β€” List available Jira fields and schemas.

  • read:issue-meta:jira β€” Read issue creation metadata (fields and their defaults) for a project/issuetype.

  • read:issue-details:jira β€” Read issue details to display current values and context (e.g., on portal panel or config screens).

  • read:audit-log:jira β€” Included for administrative visibility required by shared admin tooling; no direct call currently in this repo.

  • read:issue-type:jira β€” Resolve issue types for a project and on a specific issue.

  • read:status:jira β€” Read status metadata that may be referenced by configuration and reporting UI (via standard issue payloads and metadata).

  • read:issue-security-level:jira β€” Ensure issue reads are permitted when issues are protected by security levels; some Jira APIs require this scope to read security level names.

  • read:user:jira β€” Read user details in contexts where accountIds are mapped to display names (report views, configuration UIs).

  • read:issue.changelog:jira β€” Some report UIs may aggregate over changelogs; included for compatibility with shared client components. Not directly referenced in this repository.

  • read:issue:jira β€” General read access to issue resources beyond details-only paths (covers a large part of GET /rest/api/3/issue and related subresources used across UI flows).

  • read:issue.vote:jira β€” Included for completeness with the shared client that can read vote info; not directly used in this repository.

  • write:issue:jira β€” Historically required by similar apps to modify native issue fields. In this app, updates are made to an App-owned field value via the Apps endpoint (see below). Direct writes to core issue fields are not performed in this repository.

  • read:custom-field-contextual-configuration:jira β€” Read custom field contexts/global context for a field to determine visibility and behavior.

  • read:jira-user β€” Read user profile information in broader contexts (some Jira Cloud orgs require this scope for certain user APIs). Used by the shared client while resolving User objects with avatarUrls.

  • read:jira-work β€” Read issues, fields and metadata necessary for the cascading select UI and related configuration screens; Jira classifies some of these as "work" data.

  • write:jira-work β€” Update app-managed field values via the Apps endpoint and potentially evaluate expressions that require broader work scope.

  • manage:jira-configuration β€” The Apps Custom Field Configuration APIs may require elevated configuration read access, and some operations in shared clients expect this manage-level scope for reading configuration at scale.

  • read:servicedesk-request β€” Read Jira Service Management (JSM) Request Type fields on the customer portal and internal screens.

PreviousSecurity statementNextKnown limitations

Last updated

Was this helpful?