Configure Integration Between Oracle Access Governance and Atlassian Jira

Prerequisites

Before you install and configure a Atlassian Jira Orchestrated System, you should consider the following prerequisites and tasks.

Certification

Check that your Atlassian Jira system is certified with Oracle Access Governance by referring to Components Certified for Integration with Oracle Access Governance for details of the versions supported.

Create a Service User

You should create a service user to use when connecting to the target Atlassian Jira system. This user should have the following minimum recommended privileges to allow for integration.
  • org-admins
  • jira-users-<organization>
  • jira-servicemanagement-users-<organization>
  • confluence-users-<organization>
  • confluence-user-access-admins-<organization>
  • confluence-admins-<organization>

Create an API Key

Use this task when configuring the experimental API configuration to fetch organization ID and API key.

To create API key:

  1. Sign in to admin.atlassian.com.
  2. On the left panel, select your organization if you have more than one.
  3. Select Organization settings and then API keys.
  4. Select Create API key.
  5. Select one of the following:
    • Select API keys without scopes: To access all APIs
    • Select API keys with scopes: To access specific actions in your organization using APIs
  6. In the Name field, enter API key name.
  7. Select the Expiration date for the API key. Keys can last no longer than a year.
  8. Select Create to save the API key.
  9. Copy and save your API key and organization ID. You'll require this to configure experimental APIs in Oracle Access Governance.

Run Get Directories in an Organization API

Use this API to get directories in an organization

For a given organization, retrieve all the available user directories

  1. Run the API: {host}/{basepath}/v2/orgs/{orgId}/directories while substituting the values in the variables.
  2. From the response, choose and copy directoryId. You'll need the directoryId while configuring experimental APIs

Configure

You can establish a connection between Atlassian Jira and Oracle Access Governance by entering connection details. To achieve this, use the orchestrated systems functionality available in the Oracle Access Governance Console.

Navigate to the Orchestrated Systems Page

The Orchestrated Systems page of the Oracle Access Governance Console is where you start configuration of your orchestrated system.

Navigate to the Orchestrated Systems page of the Oracle Access Governance Console, by following these steps:
  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Orchestrated Systems.
  2. Click the Add an orchestrated system button to start the workflow.

Select system

On the Select system step of the workflow, you can specify which type of system you would like to integrate with Oracle Access Governance.

You can search for the required system by name using the Search field.

  1. Select Atlassian Jira.
  2. Click Next.

Add details

Add details such as name, description, and configuration mode.

On the Add Details step of the workflow, enter the details for the orchestrated system:
  1. Enter a name for the system you want to connect to in the Name field.
  2. Enter a description for the system in the Description field.
  3. Click Next.

Add Owners

Add primary and additional owners to your orchestrated system to allow them to manage resources.

You can associate resource ownership by adding primary and additional owners. This drives self-service as these owners can then manage (read, update or delete) the resources that they own. By default, the resource creator is designated as the resource owner. You can assign one primary owner and up to 20 additional owners for the resources.

Note:

When setting up the first Orchestrated System for your service instance, you can assign owners only after you enable the identities from the Manage Identities section.
To add owners:
  1. Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
  2. Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.
You can view the Primary Owner in the list. All the owners can view and manage the resources that they own.

Account settings

Outline details of how to manage account settings when setting up your orchestrated system including notification settings, and default actions when an identity moves or leaves your organization.

On the Account settings step of the workflow, enter details of how you would like to manage accounts with Oracle Access Governance when configured as a managed system:
  1. Select to allow Oracle Access Governance to create new accounts when a permission is requested, if the account does not already exist. By default this option is selected meaning that an account will be created if it does not exist, when a permission is requested. If the option is unselected then permissions can only be provisioned where the account already exists in the orchestrated system. If permission is requested where no user exists then the provisioning operation will fail.
  2. Select where and who to send notification emails when an account is created. The default setting is User. You can select one, both, or none of these options. If you select no options then notifications will not be sent when an account is created.
    • User
    • User manager
  3. When an identity leaves your enterprise you should remove access to their accounts. You can select what to do with the account when this happens. Select one of the following options:
    • Delete: Deletes all accounts and permissions managed by Oracle Access Governance.
    • Disable: Disables all accounts and marks permissions as Inactive for all permissions managed by Oracle Access Governance.
      • Delete the permissions for disabled accounts: To ensure zero residual access, select this to delete directly assigned permissions and policy-granted permissions during account disablement.
    • No action: No action is taken when an identity leaves the organization by Oracle Access Governance.

    Note:

    The options above are only displayed if supported in the orchestrated system type being configured. For example, if Delete is not supported, then you will only see the Disable and No action options.
  4. When all permissions for an account are removed, for example when moving from one department to another, you may need to adjust what accounts the identity has access to. You can select what to do with the account when this happens. Select one of the following options:
    • Delete
    • Disable
    • No action

    Note:

    The options above are only displayed if supported in the orchestrated system type being configured. For example, if Delete is not supported, then you will only see the Disable and No action options.
  5. If you want Oracle Access Governance to manage accounts created directly in the orchestrated system you can select the Manage accounts that are not created by Access Governance option. This will reconcile accounts created in the managed system and will allow you to manage them from Oracle Access Governance.

Note:

If you do not configure your system as a managed system then this step in the workflow will display but is not enabled. In this case you proceed directly to the Integration settings step of the workflow.

Note:

If your orchestrated system requires dynamic schema discovery, as with the Generic REST and Database Application Tables integrations, then only the notification email destination can be set (User, Usermanager) when creating the orchestrated system. You cannot set the disable/delete rules for movers and leavers. To do this you need to create the orchestrated system, and then update the account settings as described in Configure Orchestrated System Account Settings.

Integration settings

Enter details of the connection to your Atlassian Jira system.

  1. On the Integration settings step of the workflow, enter the details required to allow Oracle Access Governance to connect to your Atlassian Jira system.

    Table - Integration settings

    Parameter Name Mandatory? Description
    What is the host? Yes The proxy host used to connect to Atlassian Jira, for example jira.atlassian.net.
    What is the port number?   The port number of the proxy host used to connect to Atlassian Jira.
    What is the username?   The username of the user you will use to connect to Atlassian Jira.
    What is the password?   The password of the user you will use to connect to Atlassian Jira.
    Do you want to use the experimental API?   Select to use experimental API to ensure all necessary attributes are reliably retrieved.

    Note:

    See the prerequisites: Create an API Key and Run Get Directories in an Organization API
    What is the URL for the experimental API?   Enter the URL in the given format, and substitute the values:
    https://[experimental_api_host]/admin/[api_version]/orgs/[orgId]/directories/[directoryId]/users

    To fetch organization ID, see Create an API Key and directory ID, see Run Get Directories in an Organization API.

    What are custom authentication headers?   Use the API key and enter in the format:
    access_token={api_token}

    See Create an API Key.

  2. Click Add to create the orchestrated system.

Finish Up

Finish up configuration of your orchestrated system by providing details of whether to perform further customization, or activate and run a data load.

The final step of the workflow is Finish Up.

You are given a choice whether to further configure your orchestrated system before running a data load, or accept the default configuration and initiate a data load. Select one from:
  • Customize before enabling the system for data loads
  • Activate and prepare the data load with the provided defaults

Post Configuration

There are no post configuration steps associated with the Atlassian Jira system.