User management REST API changes in JIRA Cloud

On  , a number of user management REST APIs were either modified or removed from JIRA Cloud. We've prepared this knowledge base article as a reference for customers who may have relied on these APIs for user management situations.

  Why?

The rollout of Atlassian account for JIRA and Confluence Cloud transfers the management of individual user accounts from a customer's JIRA or Confluence instance to Atlassian account, which are globally unique user accounts that can be used to access all Atlassian Cloud products (JIRA, Confluence, HipChat and Bitbucket). Any user account changes permitted through JIRA REST APIs have the potential to modify user accounts being used by another product, and pose a security risk for users of multiple Atlassian Cloud products.

Which APIs remain unchanged?

The following APIs remain will continue to operate normally and are not affected by this change. 

Description HTTP Request Type Endpoint

Create group

POST /api/2/group

Add user to group

POST /api/2/group/user

Delete group

DELETE /api/2/group

Remove user from group

DELETE /api/2/group/user

Login

POST /api/auth/1/session

Logout

DELETE /api/auth/1/session

 

Which APIs were modified?

The behavior of the following APIs will be modified, while their signatures will remain the same. This is due to user accounts being managed in Atlassian account, and not within the tenant itself. Behavior that adds/removes users from groups will be maintained, however actions that perform direct user operations will be ignored (e.g. creating/deleting users, specifying/modifying passwords) as these are Atlassian account-related actions. 

Description HTTP Request Type Endpoint Change

Create user

POST /api/2/user
  • The user will be added to the requested site, assuming permission and license checks have been satisfied
    • If a user with the specified email address already exists in Atlassian account, that account's information is used, and information sent in the API request (e.g. display name) is discarded
    • If no user with the specified email address exists in Atlassian account, a new Atlassian account will be created using the specified email and display name details
  • Passwords included in the request payload will always be ignored

Remove user

DELETE /api/2/user
  • Removing a user "unlinks" it from the site being accessed, and does not remove the associated Atlassian account

Update user

PUT /api/2/user
  • This request can only modify the "active status" of the user
  • Passwords included in the request payload will always be ignored

Which APIs were removed?

The following JIRA REST APIs have been removed. These APIs create, modify or delete user attributes and passwords, which are no longer managed by the JIRA tenant with the rollout of Atlassian account and SSO. 

Description HTTP Request Type Endpoint
Add user to application POST /api/2/user/application

Remove user from application

DELETE /api/2/user/application

Change user password

PUT /api/2/user/password

Update myself

PUT /api/2/myself

Change my password

PUT /api/2/myself/password

Get password policy

GET /api/2/password/policy

FAQ

What is Atlassian account?

Atlassian account is the single user account for logging into Atlassian Cloud products, as well as our Help, Knowledge and Billing systems. This is being progressively rolled out to JIRA, Confluence and HipChat, and has been fully rolled out for Bitbucket. 

More details can be found here: Introducing Atlassian account

Why are you making these changes?

Rolling out Atlassian account across all Cloud products allows us to quickly deliver commonly requested user management and account features to all products, such as SAML and two-factor authentication. A single account also simplifies the end-user login experience, particularly for users who access multiple products, across both desktop and native mobile applications. 

What options do I have for managing Atlassian accounts themselves via API?

Atlassian accounts cannot be managed via public APIs today. We are currently evaluating how best to expose these capabilities in a secure manner that best meets our customers' use cases.

Was this helpful?

Thanks for your feedback!

Why was this unhelpful?

Have a question about this article?

See questions about this article

Powered by Confluence and Scroll Viewport