From 1b6e1222655ac3dc02317c656dccb09b57f80aac Mon Sep 17 00:00:00 2001 From: waleed Date: Fri, 12 Jun 2026 12:46:56 -0700 Subject: [PATCH 1/2] fix(jira): add classic JSM scopes to close granular scope-set gap --- .../en/integrations/atlassian-service-account.mdx | 13 ++++++++++++- apps/sim/connectors/jsm/jsm.ts | 6 ++++++ apps/sim/lib/oauth/oauth.ts | 8 +++++++- apps/sim/lib/oauth/utils.ts | 3 +++ 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/apps/docs/content/docs/en/integrations/atlassian-service-account.mdx b/apps/docs/content/docs/en/integrations/atlassian-service-account.mdx index 313fd5ceaf2..5240d1cce38 100644 --- a/apps/docs/content/docs/en/integrations/atlassian-service-account.mdx +++ b/apps/docs/content/docs/en/integrations/atlassian-service-account.mdx @@ -64,13 +64,20 @@ The service account inherits permissions from the project/space roles you grant Select the scopes the token needs. The minimum set Sim's Jira and Confluence blocks expect is: - **Jira (granular):** + **Jira (classic):** ``` read:jira-user read:jira-work write:jira-work ``` + **Jira Service Management (classic):** + ``` + read:servicedesk-request + write:servicedesk-request + manage:servicedesk-customer + ``` + **Confluence (granular):** ``` read:confluence-content.all @@ -82,6 +89,10 @@ The service account inherits permissions from the project/space roles you grant Add more scopes only if you need the corresponding operations (delete, manage webhooks, etc.). The full list of scopes Sim's blocks may use is documented in [Atlassian's developer reference](https://developer.atlassian.com/cloud/jira/platform/scopes-for-oauth-2-3LO-and-forge-apps/). + + Prefer the classic scopes above over granular equivalents. Atlassian enforces an endpoint's granular scope list as all-or-nothing, so a token built from a partial granular set fails with `Unauthorized; scope does not match` even though each individual scope was granted. The classic scopes each cover their product's endpoints on their own. + +
= { 'read:me', 'offline_access', 'read:issue.vote:jira', + 'read:user:jira', 'delete:issue:jira', 'delete:comment:jira', 'delete:attachment:jira', 'delete:issue-worklog:jira', 'delete:issue-link:jira', - // Jira Service Management scopes + // Jira Service Management scopes. The classic scopes are required: Atlassian + // enforces an endpoint's granular scope set as all-of, and several JSM request + // endpoints include scopes outside this list in their granular sets. + 'read:servicedesk-request', + 'write:servicedesk-request', + 'manage:servicedesk-customer', 'read:servicedesk:jira-service-management', 'read:requesttype:jira-service-management', 'read:request:jira-service-management', diff --git a/apps/sim/lib/oauth/utils.ts b/apps/sim/lib/oauth/utils.ts index dfa959acac7..fbb475cfe51 100644 --- a/apps/sim/lib/oauth/utils.ts +++ b/apps/sim/lib/oauth/utils.ts @@ -168,6 +168,9 @@ export const SCOPE_DESCRIPTIONS: Record = { 'delete:issue-link:jira': 'Delete links between Jira issues', // Jira Service Management scopes + 'read:servicedesk-request': 'View service desk requests', + 'write:servicedesk-request': 'Create and update service desk requests', + 'manage:servicedesk-customer': 'Manage service desk customers and organizations', 'read:servicedesk:jira-service-management': 'View service desks and their settings', 'read:requesttype:jira-service-management': 'View request types available in service desks', 'read:request:jira-service-management': 'View customer requests in service desks', From d318ab8c4854948d0ca5c3346153ef43d707e6e9 Mon Sep 17 00:00:00 2001 From: waleed Date: Fri, 12 Jun 2026 13:39:50 -0700 Subject: [PATCH 2/2] fix(jira): note read:user:jira requirement for granular-only tokens in docs --- .../content/docs/en/integrations/atlassian-service-account.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/docs/content/docs/en/integrations/atlassian-service-account.mdx b/apps/docs/content/docs/en/integrations/atlassian-service-account.mdx index 5240d1cce38..de38fe8a69a 100644 --- a/apps/docs/content/docs/en/integrations/atlassian-service-account.mdx +++ b/apps/docs/content/docs/en/integrations/atlassian-service-account.mdx @@ -90,7 +90,7 @@ The service account inherits permissions from the project/space roles you grant Add more scopes only if you need the corresponding operations (delete, manage webhooks, etc.). The full list of scopes Sim's blocks may use is documented in [Atlassian's developer reference](https://developer.atlassian.com/cloud/jira/platform/scopes-for-oauth-2-3LO-and-forge-apps/). - Prefer the classic scopes above over granular equivalents. Atlassian enforces an endpoint's granular scope list as all-or-nothing, so a token built from a partial granular set fails with `Unauthorized; scope does not match` even though each individual scope was granted. The classic scopes each cover their product's endpoints on their own. + Prefer the classic scopes above over granular equivalents. Atlassian enforces an endpoint's granular scope list as all-or-nothing, so a token built from a partial granular set fails with `Unauthorized; scope does not match` even though each individual scope was granted. The classic scopes each cover their product's endpoints on their own. If your organization only permits granular scopes, include every scope listed for each endpoint in Atlassian's reference — Jira Service Management request operations also require `read:user:jira`.