Scopes Justification

Below we explain why the app requires each of the permissions (scopes) declared in manifest.yml. The descriptions are concise and refer to real usage in the code and the available gadgets.

storage:app

• Purpose: Store widget configuration, cached report data in KVS

read:jira-work

• Purpose: Read Jira issues/fields/projects used by reports (assignee workload, time distribution, org-based counts).

read:servicedesk-request

• Purpose: Read JSM-specific data (CSAT, SLA, request channel, request type).

read:cmdb-schema:jira

• Purpose: Read Assets/CMDB schemas (object types/attributes) to build/interpret AQL-based reports.

read:cmdb-object:jira

• Purpose: Read Assets objects via AQL (e.g., counts per class).

manage:servicedesk-customer

• Purpose:Read JSM customers and organization memberships.

• Warning: This permission also allows creating and editing customers, but our app does not perform such actions. Ideally we would switch to granular read-only permissions; however, we are not doing so now to avoid triggering a new major app version. We'll do it when another opportunity comes up.