If the product module you’re using supports unlicensed access, you can optionally
allow one or more types of these unlicensed users to run your Forge app. This is
done by adding permissions in your app’s manifest.yml file.
By default, only licensed, authenticated users of the product within which an app runs, can use that app. For Jira Service Management, these licensed users include agents, project administrators, and collaborators. This means that Forge apps won’t work for unlicensed users in portals/views, such as the Jira Service Management portal, that support unlicensed use cases unless you configure your app to allow it.
Before configuring unlicensed access, make sure you understand the different types of unlicensed users. Jira Service Management has three unlicensed user types, reflecting different levels of the user’s relationship with the site:
| Unlicensed user | Description |
|---|---|
unlicensed | A user who is logged in to their Atlassian account but does not
have that product license on the site. For example, a user might be licensed for Confluence
and Jira but not have an agent license for Jira Service Management on that site. That user
is an To learn more about Atlassian accounts, see What is an Atlassian account?. |
customer | A user who is logged in to their Atlassian account who has limited access to the product on that site and can only perform certain actions in it. For example, in Jira Service Management, users with the customer role are considered to be customer unlicensed users. For example, a Jira Service Management customer can view their own requests on a portal and receive notifications about them. However, they don't have access to the Jira Service Management project or the ability to create or edit issues. To learn more about roles in Jira Service management, see What are project roles in Jira Service Management?. |
anonymous | A user who is not logged in to an Atlassian account. |
Unlicensed access is currently supported for the following Jira Service Management modules:
| Module | unlicensed | customer | anonymous |
|---|---|---|---|
| jiraServiceManagement:portalRequestDetail | yes | yes | no |
| jiraServiceManagement:portalRequestDetailPanel | yes | yes | no |
| jiraServiceManagement:portalFooter | yes | yes | yes |
| jiraServiceManagement:portalHeader | yes | yes | yes |
| jiraServiceManagement:portalSubheader | yes | yes | yes |
| jiraServiceManagement:portalProfilePanel | yes | yes | no |
| jiraServiceManagement:portalUserMenuAction | yes | yes | no |
| jiraServiceManagement:portalRequestViewAction | yes | yes | no |
| jiraServiceManagement:portalRequestCreatePropertyPanel | yes | yes | yes |
| jiraServiceManagement:queuePage | no | no | no |
| jiraServiceManagement:organizationPanel | no | no | no |
| jiraServiceManagement:assetsImportType | no | no | no |
Unlicensed users won't be able to make asUser API calls because the user is
unauthorized and won't have full access to the Jira Service Management project.
However, apps with the necessary permissions will be able to make asApp
API calls.
| Authenticated product API calls | Unlicensed access |
|---|---|
| asUser | Not allowed |
| asApp | Allowed |
You can use the AccountType property in the Forge UI context and the
Resolver context to customize your app's behavior. For more information
on this, see How to customize app behavior for unlicensed users below.
The app can use storage APIs to store and retrieve values from Forge storage using the Forge storage API while invoking modules for unlicensed users.
Note that for anonymous users, accountId will be the string unidentified.
If you use it to populate storage keys, you might end up sharing the data among
all anonymous users.
For example:
1 2const secretKey = await storage.getSecret(`github-secret:${context.accountId}`)
For anonymous users ${context.accountId} === 'unidentified'
Because all anonymous have the same accountId, unidentified, and this developer has keyed
storage on the accountId, they are sharing the same data across all anonymous users.
See Storage API to learn more.
You can tunnel development app invocations from customer and anonymous account types.
Products may cache invocation responses for up to five minutes, so wait five minutes before attempting to validate an opt-in change using the product's user interface.
By default, Forge modules don’t allow unlicensed user access. You can opt in for unlicensed
access via the manifest using the unlicensedAccess property on supported modules. This
is an optional property and its absence means that the module does not allow unlicensed users.
The unlicensedAccess property in the manifest expects an array of user types.
For example, the sample manifest.yml file section below defines an app module
that uses the jiraServiceManagement:portalFooter product module.
1 2modules: jiraServiceManagement:portalFooter: - key: hello-world-panel resource: main resolver: function: resolver viewportSize: medium unlicensedAccess: - anonymous - customer
This app allows anonymous and customer users to interact with the hello-world-panel
module. Hence, when an anonymous or customer user visits the portal page,
this app module will be run.
However, since this app doesn't allow unlicensed users, this app module won't
be available and won't be run if an unlicensed user visits the portal page.
You can customize app behavior for different user types by fetching the
current user's account type from the accountType property. This property can
have one of the following possible values, three of which are the unlicensed user
types mentioned previously:
| AccountType | Description |
|---|---|
licensed | Users who have Atlassian accounts and have that product licensed on the site. These users have access to the app by default, whether or not the developer has opted in to allowing access for one or more user types. |
unlicensed | Users who have Atlassian accounts but do not have that product license on that site. For example, a user might be licensed for Confluence and Compass but not licensed for both Jira and Jira Service Management on that site. That user is an unlicensed user of Jira Service Management. |
anonymous | Users who are not logged in, regardless of whether they do or do not have an Atlassian account. |
customer | Users who have limited access to the product and can only perform certain actions. For example, a Jira Service Management customer can view their own requests on a portal and receive notifications about them but they don't have access to the Jira Service Management project or the ability to create or edit issues. |
UI Kit apps can fetch accountType from the
useProductContext hook as follows:
1 2import ForgeUI, { useProductContext, Text, Macro, render } from '@forge/ui'; const App = () => { const context = useProductContext(); return <Text>Account type: {context.accountType}</Text>; }; export const run = render(<Macro app={<App />} />);
Custom UI apps can call a resolver if they need accountType. The resolver can access the
accountType property in the context and simply return its value back to the view:
1 2resolver.define('getAccountType', (req) => { return req.context.accountType; });
Unlicensed access is only supported in certain Jira Service Management modules, as mentioned above. The Forge CLI has been updated to validate your manifest when running and prevent you from incorrectly configuring modules as follows:
forge lint displays an error message if unlicensed access is configured incorrectly.forge deploy displays an error message and does not deploy your app if unlicensed access
is configured incorrectly.There are two types of errors you might encounter in the Forge CLI:
If you try to add unlicensed access to modules that don’t support it, Forge displays an error in this format:
1 2${module} does not support the following Forge properties - 'unlicensedAccess'
Consider the following manifest that defines unlicensedAccess for the hello-world-panel
app module using the jiraServiceManagement:queuePage product module.
1 2modules: jiraServiceManagement:queuePage: - key: hello-world-panel resource: main resolver: function: resolver viewportSize: medium unlicensedAccess: - anonymous - customer
As mentioned above, the jiraServiceManagement:queuePage module is not open for unlicensed
access. You will get the following error when you try to deploy this app:
1 2$ forge deploy error jiraServiceManagement:queuePage does not support the following Forge properties - 'unlicensedAccess' valid-document-required
Notice that the error message references the product module. This indicates that the module does not support any unlicensed access.
If you try to add a user type that is not supported by a module, Forge displays an error in this format:
1 2Property "unlicensedAccess" in ${moduleKey} must be an array of one or more of the following values: [unlicensed, customer, anonymous]
Consider the following manifest that defines unlicensedAccess for anonymous and customer
user types to hello-world-panel for jiraServiceManagement:portalUserMenuAction.
1 2modules: jiraServiceManagement:portalUserMenuAction: - key: hello-world-panel resource: main resolver: function: resolver viewportSize: medium unlicensedAccess: - anonymous - customer
As mentioned above, although the jiraServiceManagement:portalUserMenuAction module is
open for unlicensed access but it only allows unlicensed and customer accounts to have access.
Therefore you will get the following error when you try to deploy this app:
1 2$ forge deploy --verbose Upload URL is valid Found manifest file Manifest is a valid YAML Property "unlicensedAccess" in hello-world-panel-portal-user must be an array of one or more of the following values: [unlicensed, customer] Error: Deployment failed
Notice that in this case, the error message references your app key. This indicates that the issue is that the product module does support some types of unlicensed access, but does not support one or more of the user types you specified for your app.
Rate this page: