How to find Bamboo Permissions through REST API and SQL Queries

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

This article provides useful REST API and Database queries to assist in Bamboo permission audit

Environment

All supported versions of Bamboo.

Solution

REST API 

Global Permission



curl -k -u admin:admin \
     -H 'Accept: application/json' \
     -X GET http://localhost:8085/rest/api/latest/permissions/global/groups



Project Permission
  • Get Project Permissions

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/project
    
  • Get users permissions from project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/users
    
  • Get groups permissions from project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/groups
    
Plan Permission
  • get plans

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/plan
    
  • get users permissions from plan

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/users
    
  • get groups permissions from plan

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/groups
    
Deployment Project
  • get deployment project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/deploy/project/all
    
  • get users permissions from deployment project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/users
    
  • get groups permissions from deployment project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/groups
    
Deployment Environment
  • get deployment environment from deployment project

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/deploy/project/{deploymentProjectId}
    
  • get users permissions from deployment environment

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/users
    
  • get groups permissions from deployment environment

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/groups
    



  • get users permissions from linked repository

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/users
    
  • get groups permissions from linked repository

    curl -k -u admin:admin \
         -H 'Accept: application/json' \
         -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/groups
    

Database

Meaning of permission

The acl_object_identity.object_id_class describes the type of permission granted:

acl_object_identity.object_id_class

permission on

acl_entry.mask

com.atlassian.bamboo.security.GlobalApplicationSecureObject

Global

(1) Access, (4) Create, (1024) Create repository, (16) Admin

com.atlassian.bamboo.project.DefaultProject

Project

(4) Create plan, (16) Admin, (1024) Create repository [Data Center only]

com.atlassian.bamboo.project.ProjectPlanPermissionsPlan Inheritance(1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin, (2048) View Configuration [Data Center only]

com.atlassian.bamboo.chains.DefaultChain

Plan

(1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin

com.atlassian.bamboo.deployments.projects.InternalDeploymentProject

Deployment Project

(1) View, (2) Edit

com.atlassian.bamboo.deployments.environments.InternalEnvironment

Deployment Environment

(1) View, (2) Edit, (64) Deploy

com.atlassian.bamboo.repository.RepositoryDataEntityImpl

Linked Repositories

(1) Use, (16) Admin

The acl_entry.type describes the type of permission granted:

acl_entry.typepermission to
PRINCIPALUsers
GROUP_PRINCIPALGroups
GRANTED_AUTHORITYLogged in users
GRANTED_AUTHORITYAnonymous users

The acl_entry.sid describes to whom permission was granted to:

acl_entry.typeacl_entry.sid
PRINCIPALusername, e.g: admin
GROUP_PRINCIPALgroupname, e.g. bamboo-admin
GRANTED_AUTHORITYROLE_USER
GRANTED_AUTHORITYROLE_ANONYMOUS
SQL Queries

The queries below have been tested in PostgreSQL


get global permission for user/group
select ae.sid user_group_name
     , ae.type access_type
     , ae.mask permission
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
   and aoi.object_id_class = 'com.atlassian.bamboo.security.GlobalApplicationSecureObject'
 order by ae.sid, ae.mask;
get projects and user/group permissions
select p.project_key
     , ae.sid user_group_name
     , ae.mask permission
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join project p on aoi.object_id_identity = p.project_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
   and aoi.object_id_class = 'com.atlassian.bamboo.project.DefaultProject'
   and p.project_key like '%'
 order by p.project_key, ae.sid, ae.mask;
get plan permission inheritance
select p.project_key
     , ae.sid user_group_name
     , ae.mask permission
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join project p on aoi.object_id_identity = p.project_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
   and aoi.object_id_class = 'com.atlassian.bamboo.project.ProjectPlanPermissions'
   and p.project_key like '%'
 order by p.project_key, ae.sid, ae.mask
get plans and user/group permissions
select b.full_key planKey
     , ae.sid user_group_name
     , ae.mask permission
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join build b on aoi.object_id_identity = b.build_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
   and aoi.object_id_class = 'com.atlassian.bamboo.chains.DefaultChain'
   and b.full_key like '%'
 order by b.full_key, ae.sid, ae.mask;
get deployment project and user/group permissions
select dp.name deploy_proj
     , ae.sid user_group_name
     , ae.mask permission
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join deployment_project dp on aoi.object_id_identity = dp.deployment_project_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
   and aoi.object_id_class = 'com.atlassian.bamboo.deployments.projects.InternalDeploymentProject'
   and dp.name like '%'
 order by dp.name, ae.sid, ae.mask;
get deployment environment and user/group permissions
select concat(dp.name,concat(' - ',de.name)) deploy_env
     , ae.sid user_name
     , ae.mask permission
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join deployment_environment de on aoi.object_id_identity = de.environment_id
  join deployment_project dp on de.package_definition_id = dp.deployment_project_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
   and aoi.object_id_class = 'com.atlassian.bamboo.deployments.environments.InternalEnvironment'
   and de.name like '%'
 order by concat(dp.name,concat(' - ',de.name)), ae.sid, ae.mask;
get linked repositories and user/group permissions
select ae.sid user_group_name
     , ae.mask permission
     , vl.name repo_name
     , ae.type access_type
  from acl_entry ae
  join acl_object_identity aoi on ae.acl_object_identity = aoi.id
  join vcs_location vl on aoi.object_id_identity = vl.vcs_location_id
 where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
   and aoi.object_id_class = 'com.atlassian.bamboo.repository.RepositoryDataEntityImpl'
   and vl.name like '%'
 order by vl.name, ae.sid, ae.mask;



Last modified on Mar 7, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.