issue with Synchronisation Assigned to info due to User Administration required for GET/users call
we are using Tasktop Integration Hub to synchronize the data between Jama instance at our organisation to another Jama instance at our joint venture. One of the synced data is Assigned To.
One of the steps for the synchronization of Assigned To, Tasktop Integration Hub makes use of GET/users to read the list of all users who are assigned to the project.
In 8.62.2, the Permission User Administration is required for GET/users call, which causes us issue in the synchronization.
The fact is: due to the confidential terms, it is impossible in the Jama instance at our joint venture as well as in our organisation for the user used by Tasktop Integration Hub to own the Permission "User Administration". The user used by Tasktop Integration hub can only have the Create / Edit Permission on the selected projects.
Without "User Administration" Permission, Tasktop Integration Hub receives the response is a 401 with the following error message for the GET/ users. The Information Assigned To can not be synced.
{"meta":{"status":"Unauthorized","timestamp":"2021-08-31T08:09:41.310+0000","message":"You don't have permission to perform this action."}}
Why does Jama implement this restriction in 8.62.2? Any solution for us on Permission to enable us to sync the Assigned To?
Thanks
Comments
-
Decoteau Wilkerson Jama Staff, Data Exchange, Moderator, Automotive Solution, Medical Devices & Life Sciences Solution, Robotics Solution, Airborne Systems, Jama Connect Interchange™ (JCI), Jama Validation Kit (JVK) + Functional Safety Kit (FSK) Posts: 48OptionsHi Lien,
I want to dig in a bit more about why the Task Top user can't be assigned "User Administration" permissions. Is this because of a TT limitation? Or is this due to a policy in your organization?Decoteau Wilkerson
Content Marketing Specialist
Jama Software
Oregon0 -
Hi Decoteau,
Task Top user can't be assigned "User Administration" permissions. It is the combination of both policy of organization and technical framework.
Since the permissions "User Administration" is so powerful, it is the policy from the organizations (Gira as well as our Joint Venture), this powerful "user Administration" can only be given to a particular persons being responsible for the Organisation Administration and not to any other external users or any users, whose login data shall be used in other tools like tasktop integration hub or REST API script.
I hope this information could help.
Thanks
Lien
0 -
Decoteau Wilkerson Jama Staff, Data Exchange, Moderator, Automotive Solution, Medical Devices & Life Sciences Solution, Robotics Solution, Airborne Systems, Jama Connect Interchange™ (JCI), Jama Validation Kit (JVK) + Functional Safety Kit (FSK) Posts: 48OptionsHi Lien,
Thank you for that additional context. We made it so only User Administration or Org Admins can see user data to make the app more secure. Since the permissions you've described are your policy, this could impact your TT users in the future.
Did you run into any of these messages/complications prior to 8.62.2?Decoteau Wilkerson
Content Marketing Specialist
Jama Software
Oregon0 -
Hi Dacoteau,
prior to 8.62.2, everything works fine and there was no such complications.
Such TT Users prior 8.62.2 need only the create and edit right for the synchronization including data assigned To.
In Jama Instance at our partner organisation, it is important, that the TT User only receives the Create and Edit right to the relevant set, not to the whole project.
Best
LienHi Decoteau,
Task Top user can't be assigned "User Administration" permissions. It is the combination of both policy of organization and technical framework.
Since the permissions "User Administration" is so powerful, it is the policy from the organizations (Gira as well as our Joint Venture), this powerful "user Administration" can only be given to a particular persons being responsible for the Organisation Administration and not to any other external users or any users, whose login data shall be used in other tools like tasktop integration hub or REST API script.
I hope this information could help.
Thanks
Lien
Original Message:
Sent: 9/1/2021 7:43:00 PM
From: Decoteau
Subject: RE: issue with Synchronisation Assigned to info due to User Administration required for GET/users call
Hi Lien,
I want to dig in a bit more about why the Task Top user can't be assigned "User Administration" permissions. Is this because of a TT limitation? Or is this due to a policy in your organization?{"meta":{"status":"Unauthorized","timestamp":"2021-08-31T08:09:41.310+0000","message":"You don't have permission to perform this action."}}
Why does Jama implement this restriction in 8.62.2? Any solution for us on Permission to enable us to sync the Assigned To?
Thanks0 -
Decoteau Wilkerson Jama Staff, Data Exchange, Moderator, Automotive Solution, Medical Devices & Life Sciences Solution, Robotics Solution, Airborne Systems, Jama Connect Interchange™ (JCI), Jama Validation Kit (JVK) + Functional Safety Kit (FSK) Posts: 48OptionsHi Lien,
Thanks for your patience while I looked into this further with our Product team.
With the release of 8.62, we made a choice to disable the ability for non-admin users to harvest users from an instance, in order to increase security.
The user role will not provide access to projects or project data where that user is not also a Project Admin. A regular user can GET/users/{userId} if you share access to a Project for typical use cases (such as working with Items, seeing who made Item changes, etc.)
We also checked in with our consulting team on all the known Task Top/Ophubs integrations and considerations. They shared that all of the existing integrations (that they knew of) used Org Admins as the user or could use the new user role without issue.
I hope those breakdown helps. Please let me know if you have any questions.
Decoteau Wilkerson
Content Marketing Specialist
Jama Software
Oregon0 -
HI Decoteau,
Thanks for clarifying.
The issue with giving TT user the Permission "User Administration" is: although the TT user with Permission "user Administration" only can not access any project data, the TT User has the right to
- read, add, deactivate the users in user base
- create and modify user groups
- change the permission settings
Which is still the main argument, why your development partner insists not to give the TT User (used by Tasktop) the Permission "user Administration" in their Jama instance.
One Question I have: is there a configuration in Jama, which can set the restriction, that the TT User account can only be used by a REST API call to log into Jama and the TT User account can not be used to log into Jama through a Browser?
0 -
Decoteau Wilkerson Jama Staff, Data Exchange, Moderator, Automotive Solution, Medical Devices & Life Sciences Solution, Robotics Solution, Airborne Systems, Jama Connect Interchange™ (JCI), Jama Validation Kit (JVK) + Functional Safety Kit (FSK) Posts: 48OptionsHi Lien,
Thank you for providing this additional context. I can understand your need here but I'm not certain REST API will allow you to bypass these permission changes.
I will get with our team to try and think of some alternative workarounds for you. In the meantime, I have reached out to your Account Manager to give them a heads up, just in case our Professional Services team can think of more solutions.
I'll make sure to update this thread with any additional options I can find!Decoteau Wilkerson
Content Marketing Specialist
Jama Software
Oregon0