Getting all of the users in Jira v10+ through the API

No I will not have direct access to the database, so that is out of the question for my use case. The subsets approach is very tough as I don't know how many total users there will be. So for example querying with "a" could match more than 100 users, and then I need to produce sub-queries and deduplicate etc.

Will my proposed solution not get all of the users?

Hi, @Erazem Kos 

You don't need to perform any deduplication.

When you have more than 100 users, you'll need to use pagination. Simply retrieve and parse the user list page by page until you've fetched all results.

But that pagination is not working for Jira 10. It gets truncated to 100 users - talking about the v2 user/search API that I linked to in the original post. 

I don't have installed 10+ Jira for tests. Can you write structure of  response here?
Of course without user data arrays.
Just JSON structure

@Evgenii No need, just check the official docs (see max results parameter) and the link to the limitation where it is confirmed that this limitation exists.

Please understand that I am not asking about that endpoint at all, as I have tested it out by myself that the pagination can't query more than 100 users. That being said, my question is about the proposed workaround:

1. get all application roles, 2. get the one that has the key "jira-software" and 3. get all of the members of child groups. Will this get all of the users of the Jira DC? Will this key always remain the same, regardless of the language Jira is in or something, or can it be edited?

@Erazem Kos got it.

I'm not sure if you actually need to retrieve application roles — maybe you're referring to groups that grant access to specific apps?

If there's a single main group that controls app access (e.g., jira-software-users), you can fetch users from that group using the appropriate REST API endpoint with pagination support:

http://localhost:8088/rest/api/2/group/member?groupname=jira-software-users

However, if multiple groups are used to manage app access, then you’ll need to retrieve users from each group and combine them into a collection that removes duplicates — such as a set in most programming languages.

You can check which groups provide application access in the Application Access section:

http://localhost:8088/secure/admin/ApplicationAccess.jspa

@Evgenii in my case there is a single jira-software-users group that controls application access indeed. But I imagine this can be edited in the database, so I would prefer not to rely on the name of this specific group. Instead I want to rely on the application role, as I don't think it can be edited/changed as it holds the user licensing info.

For example this is what I am seeing on the ApplicationAccess:

And this directly corresponds with the jira-software application role API response I get. I get both groups and I also get which one is the default. My main question is whether I can rely on this or can this jira-software role be edited between instances - for example can I somehow change this role's name to jira-software-1.

Let’s start by clarifying the terminology — these are called groups (or user groups ), not application roles.

You can assign access to an application (like Jira) for any group in your instance — not just the default ones like jira-software-users.

For example, you can create custom groups such as:

• external-users
• contractors
• blablabla

Then, add those groups in the Application Access section. Once done, any user in those groups will have access to Jira — even if they’re not part of other groups.

This gives you flexibility in managing access based on your organization’s structure.

And answering on your question about name change - no, it's not possible to change group name. The only option is to create new group with required name.

@Evgenii I still don't think we are on the same page. My question is not exactly about groups. I know and understand what they are and how they interact with the permission model etc.

First let's clarify what it is that I want to achieve: I want to get all Jira Data Center users through an API, regardless of the configuration.

Since user/search API pagination is truncated, this is not an acceptable solution.

Then let's say I query the jira-software-users group's members. This would work, but according to this KBA it is possible to rename this group, so I can't rely on it to always work. So this is no really an acceptable solution either.

Finally there is the Application role named jira-software. Hitting the 

/rest/api/2/applicationrole/jira-software

in my demo instance, I get:

{"key": "jira-software",
"groups": [
"jira-administrators",
"jira-software-users"
],
"name": "Jira Software",
"defaultGroups": [
"jira-software-users"
],
"selectedByDefault": true,
"defined": true,
"numberOfSeats": -1,
"remainingSeats": -1,
"userCount": 102,
"userCountDescription": "users",
"hasUnlimitedSeats": true,
"platform": false
}

 which corresponds to the information I see at the ApplicationAccess.jspa.

My main question is - can I rely on this application role to always have all the groups I need to get all the users? I am essentially relying on jira-software application role key being the same for all instances and that it can't be edited, because the group name apparently can be.

@Evgenii @Carlos Garcia Navarro can you please take a look at my proposed solution? Thank you!