How to retrieve Bamboo Data Center permissions through REST API and SQL Queries
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
The steps outlined on this article are provided AS-IS. This means we've had reports of them working for some customers — under certain circumstances — yet are not officially supported, nor can we guarantee they'll work for your specific scenario.
You may follow through and validate them on your own non-prod environments prior to production or fall back to supported alternatives if they don't work out.
We also invite you to reach out to our Community for matters that fall beyond Atlassian's scope of support!
Summary
This article provides useful REST API and Database queries to assist in Bamboo permission audit.
Environment
The solution has been validated in Bamboo 9.2.17 but may be applicable to other versions.
Solution
REST API
Please replace admin:password with your administrator credentials and http://localhost:8085 with your Bamboo URL.
Refer to the linked pages below for more information on the API endpoints. For a list of all API endpoints to retrieve and manage permissions, please refer to the official API documentation:
Global Permissions
Project Permissions
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/project
Get users permissions from project
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/users
Get groups permissions from project
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/project/{projectKey}/groups
Plan Permissions
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/plan
Get users permissions from plan
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/users
Get groups permissions from plan
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/plan/{planKey}/groups
Deployment Projects
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/deploy/project/all
Get users permissions from deployment project
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/users
Get groups permissions from deployment project
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/deployment/{deploymentProjectId}/groups
Deployment Environment
Get deployment environment from deployment project
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/deploy/project/{deploymentProjectId}
Get users permissions from deployment environment
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/users
Get groups permissions from deployment environment
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/environment/{deploymentEnvironmentId}/groups
Linked repositories
- Get linked repositories
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/repository Get users permissions from linked repository
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/users
Get groups permissions from linked repository
curl -k -u admin:password \ -H 'Accept: application/json' \ -X GET http://localhost:8085/rest/api/latest/permissions/repository/{repositoryId}/groups
Database
Meaning of permissions
The acl_object_identity.object_id_class describes the type of permission granted:
acl_object_identity.object_id_class | permission on | acl_entry.mask |
|---|---|---|
com.atlassian.bamboo.security.GlobalApplicationSecureObject | Global | (1) Access, (4) Create, (1024) Create repository, (16) Admin |
com.atlassian.bamboo.project.DefaultProject | Project | (4) Create plan, (16) Admin, (1024) Create repository [Data Center only] |
| com.atlassian.bamboo.project.ProjectPlanPermissions | Plan Inheritance | (1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin, (2048) View Configuration [Data Center only] |
com.atlassian.bamboo.chains.DefaultChain | Plan | (1) View, (2) Edit, (64) Build, (128) Clone, (16) Admin |
com.atlassian.bamboo.deployments.projects.InternalDeploymentProject | Deployment Project | (1) View, (2) Edit |
com.atlassian.bamboo.deployments.environments.InternalEnvironment | Deployment Environment | (1) View, (2) Edit, (64) Deploy |
com.atlassian.bamboo.repository.RepositoryDataEntityImpl | Linked Repositories | (1) Use, (16) Admin |
The acl_entry.type describes the type of permission granted:
| acl_entry.type | permission to |
|---|---|
| PRINCIPAL | Users |
| GROUP_PRINCIPAL | Groups |
| GRANTED_AUTHORITY | Logged in users |
| GRANTED_AUTHORITY | Anonymous users |
The acl_entry.sid describes to whom permission was granted to:
| acl_entry.type | acl_entry.sid |
|---|---|
| PRINCIPAL | username, e.g: admin |
| GROUP_PRINCIPAL | groupname, e.g. bamboo-admin |
| GRANTED_AUTHORITY | ROLE_USER |
| GRANTED_AUTHORITY | ROLE_ANONYMOUS |
SQL Queries
The queries below have been tested in PostgreSQL. They might need adjustments to work on other DBMSs.
select ae.sid user_group_name
, ae.type access_type
, ae.mask permission
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.security.GlobalApplicationSecureObject'
order by ae.sid, ae.mask;select p.project_key
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join project p on aoi.object_id_identity = p.project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
and aoi.object_id_class = 'com.atlassian.bamboo.project.DefaultProject'
and p.project_key like '%'
order by p.project_key, ae.sid, ae.mask;select p.project_key
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join project p on aoi.object_id_identity = p.project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.project.ProjectPlanPermissions'
and p.project_key like '%'
order by p.project_key, ae.sid, ae.maskselect b.full_key planKey
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join build b on aoi.object_id_identity = b.build_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.chains.DefaultChain'
and b.full_key like '%'
order by b.full_key, ae.sid, ae.mask;select dp.name deploy_proj
, ae.sid user_group_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join deployment_project dp on aoi.object_id_identity = dp.deployment_project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL')
and aoi.object_id_class = 'com.atlassian.bamboo.deployments.projects.InternalDeploymentProject'
and dp.name like '%'
order by dp.name, ae.sid, ae.mask;select concat(dp.name,concat(' - ',de.name)) deploy_env
, ae.sid user_name
, ae.mask permission
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join deployment_environment de on aoi.object_id_identity = de.environment_id
join deployment_project dp on de.package_definition_id = dp.deployment_project_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.deployments.environments.InternalEnvironment'
and de.name like '%'
order by concat(dp.name,concat(' - ',de.name)), ae.sid, ae.mask;select ae.sid user_group_name
, ae.mask permission
, vl.name repo_name
, ae.type access_type
from acl_entry ae
join acl_object_identity aoi on ae.acl_object_identity = aoi.id
join vcs_location vl on aoi.object_id_identity = vl.vcs_location_id
where ae.type in ('PRINCIPAL','GROUP_PRINCIPAL','GRANTED_AUTHORITY')
and aoi.object_id_class = 'com.atlassian.bamboo.repository.RepositoryDataEntityImpl'
and vl.name like '%'
order by vl.name, ae.sid, ae.mask;