All about Scopes and ScriptRunner for JIRA Cloud permissions

If you're a user of ScriptRunner for JIRA Cloud you will have noticed that during the installation process the Add-On requests a lot of permissions. What are they and why does it need them?

Using your data in the Cloud

The reason for needing these permissions, or Scopes as Atlassian calls them, is because of the nature of running software applications in the Cloud. Your data is going to be stored and processed on third-party systems Atlassian Cloud and the Cloud hosting of the Add-On. Naturally, the installation process needs to make this clear and get your express permission to do it.

Why is it different from Server Add-Ons?

In a Server Add-On, all the processing and storage is on your own server. JIRA, ScriptRunner for JIRA Server and your data all remained in the same place. ScriptRunner for JIRA Cloud operates a range of services that let users write and run their own scripts, implement library scripts and review the log output of those script executions.

What Scopes does ScriptRunner for JIRA Cloud need?

When installing the add-on a list of ScriptRunner for JIRA Cloud permissions, or Scopes, are presented. ScriptRunner for JIRA Cloud requires permission for these in order to run successfully. A list of the scopes required for each REST API endpoint that JIRA Cloud provides can be found here. Below is a detailed explanation of why we need each of these Scopes.

• Act on a JIRA user's behalf, even when the user is offline: Scripts can be configured to execute as either the Add-On or as the user who initiated that script. For example, if a user transitions an issue, then the Workflow Post Function will be initiated by that user. It makes sense to execute the Post Function as the user who transitioned the issue. This ensures that each user's permissions are respected and provides a much clearer history of who has made changes to the issues in your system.
• Administer JIRA: This Scope allows for the creation, updating and deletion of issue types and issue link types, as well as for creating custom fields when running a script as the ScriptRunner Add-on user.
• Administer JIRA projects: Allows you to write scripts that execute as the ScriptRunner Add-on user for creating, updating or removing Projects, Components and Versions. This means that you don't need to grant those permissions to the rest of your user base.
• Delete JIRA data: Required in order to delete issues, comments, worklogs, issuelinks and similar items while running a script as the ScriptRunner Add-on user.
• Write data to JIRA: This scope is required in order to create issues, comments, worklogs etc while running a script as the ScriptRunner Add-on user.
• Read JIRA data: This scope is required in order to view issues, comments, worklogs etc while running a script as the ScriptRunner Add-on user.

Each of these Scopes is quite simple in itself. However, it presents quite a long list of permissions required at installation. If you have any specific queries about Scopes or ScriptRunner for JIRA Cloud permissions, contact us via the product support portal.