DocumentationRelease Notes
Log In
Documentation

Jira Service Management

Suggest Edits

The BeyondTrust Password Safe enterprise integration with Jira provides organizations the ability to seamlessly request and approve access to managed systems and accounts without having to change user interfaces while adhering to your company’s incident and change management processes.

A Jira user can request to check out credentials or sessions for privileged accounts managed by Password Safe, using any of the Jira service project workflows. The user only gains access to the asset and the privileged account that was requested and approved. Once approved, the user can initiate an RDP or SSH session from Jira using their native connectivity tools, such as Remote Desktop Connection or SSH, or using the managed account password.

Key Features

  • Validate ticket before access.
  • Audit around who approved the request, and to which privileged account and asset.
  • Request to check out credentials or sessions for privileged accounts managed by Password Safe.
  • Open a session checks approval status before allowing privileged user access.
  • Simple installation and configuration.

Requirements

All integration requirements must be in place prior to starting the integration setup process unless the associated features of the integration are not required.

  • A Jira instance with:
    • Currently supported versions of Jira Service Management.
    • Administrative access to the Jira portal.
    • Asset field on the issue form. This can be a custom text field or one linked to an asset object. This field is provided by the Assets feature which must be enabled in your Jira Premium / Enterprise instance.
    • Jira Assets feature information:
  • A BeyondTrustPS Cloud instance or BeyondInsight appliance with:
    • Version 22.2 or later release.
    • Administrative access to the Password Safe console.
  • Network:
    • Your Jira instance must be able to connect to Password Safe. Communication is in the form of secure HTTP traffic on TCP port 443.

Configure Password Safe

The following items must be configured in Password Safe to use the integration:

Create API registration

In Password Safe, an API registration is required by Jira to access the Password Safe API when requests are queued by the applications for calls.

To register a new API:

  1. From the left sidebar in BeyondInsight, click Configuration.
  2. Under General, click API Registrations.
  3. Click + Create API Registration.
  4. Select + API Key Policy from the dropdown.
  5. Enter a name.
  6. Click Add Authentication Rule +.
  7. Add the IP address of your Jira instance as an IP authentication rule. Make note of the API key. It is required for the integration configuration in Jira.

Assign API Registration to Group

The API registration must be assigned to a group that contains any Password Safe user that requests access. Creating a new API group is optional because you are using user credentials instead of a generic service account. For example, the API can be registered to the Requestors group.

To assign the API to the Requestors group:

  1. From the left sidebar, click Configuration.

  2. Under Role Based Access, click User Management.

  3. In the list of groups, select the one you previously set up.

  4. Click the vertical ellipsis to the right of the group and select View Group Details.

  5. Under Group Details, select API Registrations.

  6. Assign the registered API to the group.

  7. Managed accounts that display in Jira require API access:

    • From the left sidebar, click Managed Accounts.
    • Click the vertical ellipsis to the right of the account.
    • Select Edit Account.
    • Under Account Settings, toggle API Enabled to yes.
    • Repeat these steps for any managed account you want to use with the integration.

  8. Managed accounts that display in Jira require API access:

    • From the left sidebar, click Managed Accounts.
    • Click the vertical ellipsis to the right of the account.
    • Select Edit Account.
    • Under Account Settings, toggle API Enabled to yes.
    • Repeat these steps for any managed account you want to use with the integration.

    ℹ️

    Note

    For more information on setting up a requestor type group, see Create a group and assign roles.

Integration User Accounts

This account is only used to match Jira user accounts to corresponding Password Safe user accounts. This is required because Jira users are identified by their email address while Password Safe users are typically identified by a username or username and domain.

To acquire this information for authentication to the Password Safe API, this integration user account retrieves user information from Password Safe. Jira then uses this information to locate a single matching user account that corresponds with the user currently logged in to Jira. The email address is the primary field against which matches are made. It is recommended that all Password Safe users who leverage the integration have a value in this field that matches the email address they use to log into Jira.

ℹ️

Note

To ensure a secure configuration, this account should not be granted any permissions to managed systems or managed accounts.

Create integration users

  1. From the left sidebar in BeyondInsight, click Configuration.
  2. Under Role Based Access, click Users Management.
    The User Management page displays.
  3. Select the Users tab.
  4. Click + Create New User.
  5. Select Create a New User from the dropdown.
  6. Give the user an obvious name, such as jira_user, and provide values in all required fields.
  7. Click Create User.
  8. Select the Groups tab.
  9. Click + Create New Group.
  10. Select Create a New Group.
  11. Give the group an obvious name, such as jira_integration, and a description.
  12. Click Create Group.
    The Group Details page displays.
  13. Under Group Details, select Features.
  14. In the Features pane, select All Features from the Show dropdown.
  15. Scroll down to User Accounts Management and click the vertical ellipsis to the right of the feature.
  16. Select + Assign Permissions Read Only.
  17. In the Group Details pane, select Users.
  18. In the Users pane, select Users not assigned from the Show dropdown.
  19. Select the user created above and then click Assign User.
  20. In the Group Details pane, select API Registrations.
  21. Check the box next to the API registration created in the previous section.

Install integration app from Atlassian Marketplace

The application is available from the Atlassian Marketplace as BeyondTrust Password Safe Integration for Jira. All purchases are processed through Atlassian, and a free trial is also available if you'd like to give it a test drive first.

ℹ️

Note

For more information, see Installing Marketplace apps.

Users and Role Assignment in Jira

There are two types of users in Jira

  1. Jira login user: Jira users don't have usernames, only email addresses. The app queries its Password Safe username based on the Jira login email address.
    • For example, user ltao must exist in both Jira and Password Safe, and it must have a corresponding email address in Password Safe
  2. Password Safe API run as user: This user does not have to exist in Jira. However, its name must be set up (api_user) in the Jira configuration page. This user can be the login user or another user, as long as it has the required permissions.

Configure the Password Safe application in Atlassian

  1. Authenticate to your Atlassian environment as an administrator.
  2. Go to Apps > Manage apps.
  3. In the left menu, click the BeyondTrust Password Safe app.
  4. Toggle the Enable Integration button to yes.
  5. Under General Settings provide the Host Name and API registration key, which were created in the previous section, in the appropriate fields.
  6. Toggle Enable Start a Session and Enable View Managed Account to yes if you plan to use those features.
  7. Enter the appropriate value for Asset Field Name, API User, and Release Duration.
  8. Click Save to save the configuration.
    The app automatically checks whether the configuration is valid upon saving and displaying its status.

Test the integration

  1. In Jira, log in as a user to request a session or view a managed account password.
  2. Create a new service request.
  3. Expand More fields, and then click the dropdown list and select the asset to link the case with.
  4. Expand details to make sure the case is assigned to you.
  5. Click Actions(…) and then select BeyondTrust Password Safe View Managed Account.
  6. Test a session:
    1. Click BeyondTrust Password Safe Start Session.
    2. Select the type of session and privileged account.
    3. For an SSH session, select the link to use with your SSH tool.
    4. For an RDP session, download the session file to start an RDP session.
  7. Check out a password for a managed account:
    1. Click Actions(…) and BeyondTrust Password Safe View Managed Account. If you have a managed account, copy its password to the clipboard.

Updated 6 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.