Hi Guys,is there a way to use the user attributes synced from Azure AD to Atlassian Access in Jira automaiton or JQL? (These user related information also known as account details in Jira cloud)https://confluence.atlassian.com/cloud/user-provisioning-959305316.html?_ga=2.145284535.261953757.1584949045-1049788169.1564737779You can update these user attributes from you identity provider:Display nameEmail addressOrganizationJob titleTimezoneDepartmentPreferred language I found some promising signs like reporter.properties expression in JQL or the smart values in the new automation, but I couldn't make use of them. https://support.atlassian.com/jira-software-cloud/docs/smart-values-users/One use case would be to use the reporter's department attribute from AD to auto assign the issue.Any help would be appreciated!Robert

Community
Products
Atlassian Guard
Questions
User properties (=account details) from Atlassian Access

User properties (=account details) from Atlassian Access

Hi Guys,

is there a way to use the user attributes synced from Azure AD to Atlassian Access in Jira automaiton or JQL? (These user related information also known as account details in Jira cloud)

https://confluence.atlassian.com/cloud/user-provisioning-959305316.html?_ga=2.145284535.261953757.1584949045-1049788169.1564737779

You can update these user attributes from you identity provider:

Display name
Email address
Organization
Job title
Timezone
Department
Preferred language

I found some promising signs like reporter.properties expression in JQL or the smart values in the new automation, but I couldn't make use of them.

https://support.atlassian.com/jira-software-cloud/docs/smart-values-users/

One use case would be to use the reporter's department attribute from AD to auto assign the issue.

Any help would be appreciated!

Robert

5 answers

1 accepted

1 vote

Answer accepted

Hello Robert,

Thank you for reaching out to Atlassian Community!

The fields mentioned in the documentation are specific for the identity provider, the fields and values won't be stored in Jira. With that said, currently, it's not possible to get this information to use on automation or to show on a JQL search.

There is an add-on that you can use to show this information on tickets:

Azure AD Attributes for Jira

If you have any other questions, please let us know.

Regards,
Angélica

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Thanks for the answer!

In the meantime, I've learned that REST API calls from scripting applications (Scriptrunner, JMWE) can be a workaround.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like • Angélica Luz likes this

Is this still the case with the updates to Automation?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

@Róbert Szabó Can you perhaps share more about it? I'm interested in accessing the Organization & Department's user property from Azure AD and based on that, set a value in Jira field using A4J (Automation for Jira).

I don't really want to use 3rd-party scripting apps at the time.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hello @Kalin U ,

I'm sorry but I don't have any new information on this. I couldn’t get it to work at the time, but I haven’t looked at whether there’s any progress in that area since.

But if you find new information then please share it, I am interested :)

Robert

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like • Kalin U likes this

3 votes

I know I'm necroposting, but I was excited to find this, and thought it *might* be useful:

If your IdP is properly syncing with Access (mine is not yet :-(, then you should be able to use the User Management REST API to find Job Title and Department, which are the only attributes that currently can be synced.

I followed the directions to generate an admin API and then tested it thusly:

% curl -s -H "Authorization: Bearer YOURAPIKEY" https://api.atlassian.com/users/ACCOUNTID_YOU_WANT_TO_LOOKUP/manage/profile | jq .

Which returned:

{
    "account": {
    "account_id": "ACCOUNTID_YOU_WANT_TO_LOOKUP",
    "name": "John Doe",
    "nickname": "jdoe",
    "email": "jdoe@somecompany.com",
    "picture": "https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/default-avatar.png",
    "characteristics": {
    "not_mentionable": null
    },
    "account_type": "atlassian",
    "account_status": "active",
    "email_verified": true,
    "privacy_settings": {
        "name": "public",
        "nickname": "public",
        "picture": "collaborator",
        "extended_profile.job_title": "public",
        "extended_profile.department": "collaborator",
        "extended_profile.organization": "collaborator",
        "extended_profile.location": "collaborator",
        "zoneinfo": "collaborator",
        "email": "collaborator",
        "extended_profile.phone_number": "collaborator",
        "extended_profile.team_type": "private"
      }
   }
}

So in theory then, you could create an Automation webhooks call to extract things job_title or department.

CAVEAT/WARNING

Admin API keys have read and write capabilities. Now, the Users API can't actually do much with Managed Accounts (maybe set location?), but there's a few other APIs that you probably don't want too many people to access. And since Automation doesn't have a way to hide/obfuscate API keys (in this case it would be in the Header), remember that any other Jira admins (or Project admins for project-based rules) would be able to see the key.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

1 vote

I followed the directions to generate an admin API and then tested it thusly:

% curl -s -H "Authorization: Bearer YOURAPIKEY" https://api.atlassian.com/users/ACCOUNTID_YOU_WANT_TO_LOOKUP/manage/profile | jq .

Which returned:

{
    "account": {
    "account_id": "ACCOUNTID_YOU_WANT_TO_LOOKUP",
    "name": "John Doe",
    "nickname": "jdoe",
    "email": "jdoe@somecompany.com",
    "picture": "https://avatar-management--avatars.us-west-2.prod.public.atl-paas.net/default-avatar.png",
    "characteristics": {
    "not_mentionable": null
    },
    "account_type": "atlassian",
    "account_status": "active",
    "email_verified": true,
    "privacy_settings": {
        "name": "public",
        "nickname": "public",
        "picture": "collaborator",
        "extended_profile.job_title": "public",
        "extended_profile.department": "collaborator",
        "extended_profile.organization": "collaborator",
        "extended_profile.location": "collaborator",
        "zoneinfo": "collaborator",
        "email": "collaborator",
        "extended_profile.phone_number": "collaborator",
        "extended_profile.team_type": "private"
      }
   }
}

So in theory then, you could create an Automation webhooks call to extract things job_title or department.

CAVEAT/WARNING

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi,

Thanks for sharing!

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

0 votes

Thank you, @Darryl Lee

But just so that i get it right. After integrating with Access and EntraID (as an example) we do see the synchronized attributes (currently Name, Email, Job title, Department, Location, Local time) but there is no way to use them properly/directly?

I still would have to use the webhook to read those values via script and update custom fields in the ticket (or on the user profile, like @Chris referenced), correct?

So, assuming the comments on [ACCESS-822] Support more synced attributes for SCIM User Provisioning - Create and track feature requests for Atlassian products. are correct, we should at some point in the future get the manager attribute synced and "be able to use it for automating approvals". Why not the (easier) other attributes too?

I am trying to rebuild our ITSM portal and integrate it with EntraID and not being able to use the manager attribute already is a dealbreaker. While i am trying to hold up the faith that it will be available, i am personally astonished by it. This should be a basic feature of any service management solution that integrates with an identity provider.

So, apart from the rant: The solution is either webhook + self developed/hosted script or InApp currently? Any suggestions for the inApp (looking for more entraID attributes (cost center, manager) available for jsm requests and forms)?

Kind regards

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hum [ACCESS-822] does talk about getting additional fields from the IdP, in your case, Entra.

The good news is if you're using REGULAR SCIM to provision users, then you can now get the Manager. This was introduced sometime in 2022:

How to sync the manager attribute into Atlassian Home with Azure AD

The bad news is, I'm pretty sure that data is still not accessible via a simple Smart Values, like:

{{assignee.manager.email}} <- THIS DOES NOT WORK!!!

And now that I'm looking at the endpoint I recommended in 2022, I realize I pasted a fake response. Here's a real response with my actual data! (Ugh, because we use Azure AD for Nested Groups we can't get Manager. Boo.)

{
  "account": {
    "account_id": "MYACCOUNTID",
    "name": "Darryl Lee",
    "nickname": "Darryl Lee",
    "zoneinfo": "America/Los_Angeles",
    "locale": "en-US",
    "email": "darryllee@MYCOMPANY",
    "picture": "MYAVATAR",
    "extended_profile": {
      "job_title": "Sr. Systems Engineer, Atlassian",
      "department": "427 Enterprise Engineering",
      "location": "San Jose, CA",
      "team_type": "Software Development"
    },
    "characteristics": {
      "not_mentionable": false
    },
    "account_type": "atlassian",
    "account_status": "active",
    "email_verified": true,
    "privacy_settings": {
      "name": "public",
      "nickname": "public",
      "picture": "public",
      "extended_profile.job_title": "public",
      "extended_profile.department": "public",
      "extended_profile.organization": "public",
      "extended_profile.location": "public",
      "zoneinfo": "public",
      "email": "public",
      "extended_profile.phone_number": "collaborator",
      "extended_profile.team_type": "private"
    }
  }
}

So that's interesting. If you did an API call from Automation using Web Requests, you could get job_title and department out of extended_profile.

As Angélica Luz wrote way back when, the third party Azure AD Attributes for Jira does allow for mapping of Entra fields to custom fields, but then it's Assignee/Reporter/User field of an issue, so it's not actually a queryable attribute for the USER.

And with a bit of work, you could probably implement with Automation using the API call to Get Profile. (And thank goodness that later in 2022 Atlassian allowed us to hide the Auth header.)

Oh! Micah Harley provided some good screenshots on how to do this here: