Authorization
Security plays a crucial role in safeguarding customer data stored in Assets from unauthorized access and preventing malicious or accidental alterations. Additionally, it empowers developers to create applications and integrations with assurance, thereby unlocking the complete potential of Assets data.
Security model
Assets deploys a layered security model to enable developers access and change Assets data in a secured and flexible manner. The security model consists of the following three layers:
- API authentication - Verify the identity of the requester accessing Asset’s public API.
- API authorization - Make sure the requester has the necessary permission to access the specific API.
- Role-based authorization - Make sure the requester has the necessary Assets roles to access the target data. See roles in Assets to learn more.
Building on top of this security model, Assets provides different authentication and authorization mechanisms designed to meet specific requirements and features of various integration pathways.
Build integrations with Assets
We provide three different ways for developers to build seamless yet secure integrations with Assets:
Forge apps
Forge apps use OAuth 2.0 when authenticating with Assets. Scopes are an OAuth 2.0 mechanism that limits an app's access to a user's account. The Forge platform also provides managed APIs to make requests on behalf of the user, meaning that third-party code is never trusted with user credentials.
In addition, the Forge platform itself is inherently secure, in the way that it executes software and how it manages data.
See Security for Forge apps for more details.
Connect apps
Atlassian Connect apps use JWT (JSON Web Tokens) for authentication. This technology is built into the supported Atlassian Connect libraries. If you use client frameworks, most security operations are handled for you. Using JWT, Connect apps can access Assets APIs:
- As app user: To access Assets APIs as an app to perform system actions, like scheduled jobs.
- As user via impersonation: To access Assets APIs on a user’s behalf.
Authorisation via Connect scope
Please note that authorisation via Connect scope is not fully supported by Assets.
If you are a Connect app developer, to ensure your app can call Assets APIs you will need to do the following:
- Ensure your request comes with a valid Connect JWT - this should be handled by the Connect app framework already, providing that you have built your app following the guidelines for JWT for Connect apps.
- Ensure that the user who installs the app has manually granted the app account (if the app is making asApp call), or the impersonated user account sufficient roles in CMDB role setup for the corresponding operation.
For example, if the app wants to use the API to create a new schema, you will need to:
- Ensure the app’s request to the “Create Schema” API contains a valid Connect JWT.
- Ensure the app user or admin has granted the app account the object schema manager role within the relevant schema.
Learn more about security for Connect Apps.
In rare circumstances where Connect apps cannot utilize JWT for authentication, there is an option for Connect apps to utilize token-based authentication and authorization to access Assets APIs (See below section for more details). However we do not recommend this, as this is against the latest security requirements for cloud apps.
Scripts or other REST API clients
Scripts and other REST API clients use token-based authentication and authorization to access Assets APIs. They should encode and add the token to the header for requests to the APIs. Assets supports two kinds of tokens:
- API token: Generated from a user's Atlassian Account.
- Container token: Generated by Assets to grant permission to access Assets APIs.
See API token-based authentication for more details.
We recommend that you only use token-based authentication and authorization if you have other security measures in place.
Rate this page: