Permissions control what the Teamwork Graph CLI (TWG CLI) can do across your connected tools - essentially what it can read, write, manage, and delete. Configuring permissions correctly lets you give teams the access they need while protecting sensitive data in your organization.

For an overview of all CLI settings, see Manage TWG CLI settings for your organization.

Permission categories and default state

TWG CLI groups OAuth permissions into three categories:

Read
Write and manage
Delete

By default, Allow all permissions by default is on. In this mode, TWG CLI can request all current OAuth permissions shown in Atlassian Administration, and new TWG CLI permissions added later are allowed automatically.

To manage permissions individually, turn Allow all permissions by default off. Each category then opens a side panel where you can select all permissions in that category, clear all permissions, or choose individual permissions.

Permissions apply to OAuth 2.1, which is the only authentication method TWG CLI supports, except for Bitbucket commands.

Use write and delete access with caution. When write and delete permissions are enabled, users can create, edit, manage, or delete objects in your connected apps - such as Jira work items and Confluence pages - using the CLI. Only enable the permissions your organization genuinely needs.

Change permissions

To change permissions:

Go to Atlassian Administration. Select your organization if you have more than one.
In the sidebar, select Rovo, then select Teamwork Graph CLI.
In Permissions, turn off Allow all permissions by default if you want to customize permissions.
Select a permission category: Read, Write and manage, or Delete.
In the side panel, use Select all or the individual permission toggles to choose which OAuth permissions TWG CLI can request.
Select Save.
Choose whether to Save without revoking or Save and revoke sessions.
Repeat for any other permission categories.

To block TWG CLI OAuth access for your organization, turn off Allow all permissions by default, clear the permissions in each category, save your changes, and choose Save and revoke sessions.

Revoke active sessions

When you save permission changes, Atlassian Administration asks whether to revoke active TWG CLI sessions.

Save without revoking saves the new settings, but users may continue using existing sessions until they need to re-authenticate.
Save and revoke sessions saves the new settings and requires users to authenticate again before TWG CLI can use the updated permissions.

Revoking sessions is recommended when you remove permissions or clear a permission category.

Server-side enforcement

Permissions are enforced server-side by Atlassian. This means they can't be bypassed by modifying the CLI binary or local config. When a command is sent, Atlassian checks the permissions configured for your organization before returning any data or performing any action. If TWG CLI isn't allowed to request the required permission, the command is rejected.

IP and location allowlists

IP and location allowlists configured in your Atlassian organization also apply to CLI requests. If a request originates from a blocked IP address, it's rejected regardless of the user's permissions.

Diagnose a blocked command

A blocked command appears as restricted, and you'll need to re-authenticate. If a command is unexpectedly blocked, check that:

The OAuth permission the command needs is allowed in the relevant permission category.
The request isn't originating from an IP address outside your organization's allowlist.
The user has re-authenticated after recent permission changes or session revocation.