How to find Bamboo Permissions through REST API and SQL Queries
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
This article provides useful REST API and Database queries to assist in Bamboo permission audit
Environment
All supported versions of Bamboo.
Solution
REST API
Global Permission
curl -k -u admin:admin \
-H 'Accept: application/json' \
-X GET http://localhost:8085/rest/api/latest/permissions/global/groups
Project Permission
Get Project Permissions
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/project
Get users permissions from project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/users
Get groups permissions from project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/groups
Plan Permission
get plans
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/plan
get users permissions from plan
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/users
get groups permissions from plan
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/groups
Deployment Project
get deployment project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/deploy/project/all
get users permissions from deployment project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/users
get groups permissions from deployment project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/groups
Deployment Environment
get deployment environment from deployment project
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/deploy/project/{deploymentProjectId}
get users permissions from deployment environment
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/users
get groups permissions from deployment environment
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/groups
get users permissions from linked repository
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/users
get groups permissions from linked repository
curl -k -u admin:admin \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/groups
Database
Meaning of permission
The acl_object_identity.object_id_class describes the type of permission granted:
acl_object_identity.object_id_class | permission on | acl_entry.mask |
---|---|---|
com.atlassian.bamboo.security.GlobalApplicationSecureObject | Global | (1) Access, (4) Create, (1024) Create repository, (16) Admin |
com.atlassian.bamboo.project.DefaultProject | Project | (4) Create plan, (16) Admin, (1024) Create repository [Data Center only] |
com.atlassian.bamboo.project.ProjectPlanPermissions | Plan Inheritance | (1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin, (2048) View Configuration [Data Center only] |
com.atlassian.bamboo.chains.DefaultChain | Plan | (1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin |
com.atlassian.bamboo.deployments.projects.InternalDeploymentProject | Deployment Project | (1) View, (2) Edit |
com.atlassian.bamboo.deployments.environments.InternalEnvironment | Deployment Environment | (1) View, (2) Edit, (64) Deploy |
com.atlassian.bamboo.repository.RepositoryDataEntityImpl | Linked Repositories | (1) Use, (16) Admin |
The acl_entry.type describes the type of permission granted:
acl_entry.type | permission to |
---|---|
PRINCIPAL | Users |
GROUP_PRINCIPAL | Groups |
GRANTED_AUTHORITY | Logged in users |
GRANTED_AUTHORITY | Anonymous users |
The acl_entry.sid describes to whom permission was granted to:
acl_entry.type | acl_entry.sid |
---|---|
PRINCIPAL | username, e.g: admin |
GROUP_PRINCIPAL | groupname, e.g. bamboo-admin |
GRANTED_AUTHORITY | ROLE_USER |
GRANTED_AUTHORITY | ROLE_ANONYMOUS |
SQL Queries
The queries below have been tested in PostgreSQL
select ae.sid user_group_name
, ae.type access_type
, ae.mask permission
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.security.GlobalApplicationSecureObject'
order by ae.sid, ae.mask;
select p.project_key
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join project p on aoi.object_id_identity = p.project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
and aoi.object_id_class = 'com.atlassian.bamboo.project.DefaultProject'
and p.project_key like '%'
order by p.project_key, ae.sid, ae.mask;
select p.project_key
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join project p on aoi.object_id_identity = p.project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.project.ProjectPlanPermissions'
and p.project_key like '%'
order by p.project_key, ae.sid, ae.mask
select b.full_key planKey
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join build b on aoi.object_id_identity = b.build_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.chains.DefaultChain'
and b.full_key like '%'
order by b.full_key, ae.sid, ae.mask;
select dp.name deploy_proj
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join deployment_project dp on aoi.object_id_identity = dp.deployment_project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
and aoi.object_id_class = 'com.atlassian.bamboo.deployments.projects.InternalDeploymentProject'
and dp.name like '%'
order by dp.name, ae.sid, ae.mask;
select concat(dp.name,concat(' - ',de.name)) deploy_env
, ae.sid user_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join deployment_environment de on aoi.object_id_identity = de.environment_id
join deployment_project dp on de.package_definition_id = dp.deployment_project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.deployments.environments.InternalEnvironment'
and de.name like '%'
order by concat(dp.name,concat(' - ',de.name)), ae.sid, ae.mask;
select ae.sid user_group_name
, ae.mask permission
, vl.name repo_name
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join vcs_location vl on aoi.object_id_identity = vl.vcs_location_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.repository.RepositoryDataEntityImpl'
and vl.name like '%'
order by vl.name, ae.sid, ae.mask;