Jira Service Management

The BeyondTrust Endpoint Privilege Management for Cloud (EPM) - Jira Service Management integration allows organizations to streamline their Just-In-Time (JIT) access approval workflow. This integration automatically creates Jira tickets when EPM JIT access requests are submitted and enables approvers to make decisions directly from within Jira.

Key Features

Automated Ticket Creation: Automatically creates Jira tickets when JIT Application Access or Admin Access requests are submitted in EPM
Dual Request Type Support: Manages both Application Access requests and Admin Access (privilege elevation) requests
Integrated Approval Workflow: Approve or deny requests directly from Jira using custom action buttons
Real-time Updates: Status updates are synchronized between EPM and Jira
Comprehensive Request Details: All relevant request information is captured in the Jira ticket
Customizable Templates: Configurable webhook templates for different event types
Automatic Ticket Transitions: Optionally configure the integration to automatically transition and resolve tickets after decisions are submitted

Architecture

The integration is implemented as a Forge app written in JavaScript that:

Receives webhook messages from EPM when JIT Application Access or Admin Access tickets are created or updated
Creates corresponding Jira tickets with all relevant request information
Provides a custom user interface within Jira for approving/denying requests
Communicates decisions back to EPM via the management API
Optionally transitions tickets to a configured state and resolution after decisions are processed

Prerequisites

Before installing and configuring the integration, ensure you have:

BeyondTrust EPM instance with administrative access
Jira Service Management or Jira Software with appropriate permissions
Project Administrator rights in Jira to create custom fields and configure projects
EPM API credentials with JIT access permissions

Installation Steps

Step 1: Install the Jira App

Navigate to your Jira instance
Go to Apps → Find new apps
Search for "BeyondTrust Privilege Management"
Click Install and follow the prompts

Step 2: Create Required Custom Field in Jira

Follow the instructions to Add a new custom field
Configure the field with the following values:
- Name: beyondTrustEpmJitRequestSystemId
- Description: BeyondTrust PMC JIT Request System ID
- Field Type: Simple text
Associate the field with appropriate screens and projects
Note the Field ID for later configuration

Configuration

EPM Web Configuration

1. Configure Webhook Settings

Navigate to: EPM → Configuration → Webhook Settings
Click Create Webhook
Configure the following settings:
- Name: Jira - App Access - Create (this is just an example; the name can be any value)
- URL: [Available in the Webhook Settings section of the Jira app's configuration page]
- Event: JIT Application Access Ticket Created
- Content Type: application/json
- Template: Use the Create Template (see templates section below)
- Authentication Type: Basic
- Authentication Username: [Create a dedicated webhook user]
- Authentication Password: [Create a secure password]
- Enable Webhook: ✅ Check to enable

Repeat the steps above to create a second webhook. Use the same settings except for the Name, Event, and Template:

Name: Jira - App Access - Update (this is just an example; the name can be any value)
Event: JIT Application Access Decision Updated
Template: Use the Update Template (see templates section below)

Repeat the steps above to create a third webhook for Admin Access. Use the same settings except for the Name, Event, and Template:

Name: Jira - Admin Access - Create (this is just an example; the name can be any value)
Event: JIT Admin Ticket Created
Template: Use the Admin Create Template (see templates section below)

Repeat the steps above to create a fourth webhook for Admin Access. Use the same settings except for the Name, Event, and Template:

Name: Jira - Admin Access - Update (this is just an example; the name can be any value)
Event: JIT Admin Decision Updated
Template: Use the Admin Update Template (see templates section below)

📘
You can enable one or both integration types depending on your requirements. If you only enable Application Access or only Admin Access in the JIT Access Settings, you will only need to create two webhooks instead of four.

2. Configure JIT Access Settings

Enable the JIT access integrations that you want to use with Jira Service Management.

Navigate to: EPM → Configuration → JIT Access Settings
Configure the following under Application Access:
- ✅ Enable JIT Application Access Integration
- Choose an Integration: Select EPM
- Click Save Changes
Configure the following under Admin Access:
- ✅ Enable JIT Admin Access Integration
- Click Save Changes

ℹ️
You can enable one or both integration types depending on your requirements. If you only enable one type, you will only need to create two webhooks (create and update) instead of four.

3. Configure API Settings

Navigate to: EPM → Configuration → API Settings
Create a new API Account with the following permissions:
- Audit: Read Only
- Reporting: Read Only

Jira App Configuration

Access the app configuration through: Apps → Manage Apps → BeyondTrust Privilege Management

Required Settings

Setting	Description	Example
Enable Integration	Master switch to enable/disable integration	`true`
Service Hostname	EPM services hostname	`pmc-services.yourcompany.com`
Client ID	EPM API client ID with JIT access	`pmc-api-account-client-id`
Client Secret	EPM API client secret	`[pmc-api-account-client-secret]`
Basic Auth Username	Username for webhook authentication	`pmc-webhook-user`
Basic Auth Password	Password for webhook authentication	`[secure-password]`
Project Key	Jira project where tickets will be created	`PMCJIT` (example only)
Issue Type Name	Type of issue to create	`Access Request`
Issue Default Summary	Default summary template	`EPM JIT Application Access Request - %%User%%`
Enable Automatic Reporter	Set reporter based on app launcher	`true` (if desired)
Assignee Name	Default assignee for tickets	`John Doe`
Custom Field ID	ID of the custom field created earlier	`customfield_10001`

Optional Settings

Auto-Transition Configuration

The app can automatically transition and resolve tickets after a decision has been submitted. This feature is optional and works on a best-effort basis with standard Jira workflows.

Setting	Description	Example
Enable Auto-Transition	Toggle to enable automatic ticket transitions after decisions are submitted	true
State	The target state to transition the ticket into	Completed
Resolution (Approved)	The resolution to set when a request is approved	Done
Resolution (Denied)	The resolution to set when a request is denied	Declined

ℹ️
Auto-transition is best-effort and designed for standard Jira workflows. Heavily customized workflows with complex transition rules or conditions may not be compatible with this feature. The app will attempt the transition but will not fail if the transition cannot be completed.

Other Optional Settings

URL: Custom webhook endpoint URL (if different from default)

Webhook templates

Application Access - Ticket Created Template

Use this template for URM_NATIVE_TICKET_CREATED events:

{
  "EventType": "%%EventType%%",
  "RequestId": "%%RequestId%%",
  "TenantId": "%%TenantId%%",
  "Timestamp": "%%Timestamp%%",
  "TicketNumber": "%%TicketNumber%%",
  "requestInfo": {
    "applicationType": "%%ApplicationType%%",
    "action": "%%Action%%",
    "workstyle": "%%Workstyle%%",
    "reason": "%%Reason%%",
    "user": "%%User%%",
    "hostName": "%%HostName%%",
    "trustedOwnership": "%%trustedOwnership%%",
    "productDescription": "%%ProductDescription%%",
    "driveType": "%%DriveType%%",
    "btZoneIdentifierExists": "%%BtZoneIdentifierExists%%",
    "productCode": "%%ProductCode%%",
    "upgradeCode": "%%UpgradeCode%%",
    "clsId": "%%ClsId%%",
    "comDisplayName": "%%ComDisplayName%%",
    "token": "%%Token%%",
    "tokenAssignmentIsShell": "%%TokenAssignmentIsShell%%",
    "uacTriggered": "%%UacTriggered%%",
    "downloadSourceUrl": "%%DownloadSourceUrl%%",
    "userLanguage": "%%UserLanguage%%",
    "sha1Hash": "%%Sha1Hash%%",
    "sha256Hash": "%%Sha256Hash%%",
    "filePathObjectId": "%%FilePathObjectId%%",
    "cmdArgs": "%%CmdArgs%%",
    "publisher": "%%Publisher%%",
    "productName": "%%ProductName%%",
    "productVersion": "%%ProductVersion%%",
    "fileVersion": "%%FileVersion%%",
    "workstyle": "%%Workstyle%%",
    "applicationGroup": "%%ApplicationGroup%%",
    "message": "%%Message%%",
    "messageId": "%%MessageId%%",
    "hostType": "%%HostType%%",
    "osName": "%%OsName%%",
    "osVersion": "%%OsVersion%%",
    "ComputerGroup": "%%ComputerGroup%%",
    "GroupId": "%%GroupId%%",
    "requestVersion": "%%RequestVersion%%",
    "hostedFilePath": "%%HostedFilePath%%",
    "parentProcess": "%%ParentProcess%%",
    "storeAppName": "%%StoreAppName%%",
    "serviceName": "%%ServiceName%%",
    "serviceAction": "%%ServiceAction%%",
    "authRequestUri": "%%AuthRequestUri%%",
    "bundleInfoDescription": "%%BundleInfoDescription%%",
    "reputationScoreDateTime": "%%ReputationScoreDateTime%%",
    "reputationScore": "%%ReputationScore%%",
    "reputationIntegrationType": "%%ReputationIntegrationType%%"
  }
}

Application Access - Decision Update Template

Use this template for URM_NATIVE_DECISION_UPDATE events:

{    
  "EventType": "%%EventType%%",
  "RequestId": "%%RequestId%%",
  "TenantId": "%%TenantId%%",
  "TicketNumber": "%%TicketNumber%%",
  "Timestamp": "%%Timestamp%%",
  "requestInfo": {
    "Decision": "%%Decision%%",
    "DecisionTime": "%%DecisionTime%%",
    "DecisionPerformedByUser": "%%DecisionPerformedByUser%%",
    "Duration": "%%Duration%%",
    "Timestamp": "%%Timestamp%%"
   }
}

Admin Access - Ticket Created Template

Use this template for JIT Admin Ticket Created events:

{
  "EventType": "JIT_ADMIN_TICKET_CREATED",
  "RequestId": "%%RequestId%%",
  "TenantId": "%%TenantId%%",
  "Timestamp": "%%Timestamp%%",
  "ComputerId": "%%ComputerId%%",
  "GroupId": "%%GroupId%%",
  "TicketNumber": "%%TicketNumber%%",
  "Reason": "%%Reason%%",
  "UserId": "%%UserId%%",
  "UserName": "%%UserName%%",
  "DurationRequested": "%%DurationRequested%%"
}

Admin Access - Decision Update Template

Use this template for JIT Admin Decision Updated events:

{
  "EventType": "JIT_ADMIN_TICKET_UPDATED",
  "RequestId": "%%RequestId%%",
  "TicketNumber": "%%TicketNumber%%",
  "TenantId": "%%TenantId%%",
  "StartTime": "%%StartTime%%",
  "EndTime": "%%EndTime%%",
  "Decision": "%%Decision%%",
  "DecisionTime": "%%DecisionTime%%",
  "DecisionPerformedByUser": "%%DecisionPerformedByUser%%",
  "Duration": "%%Duration%%",
  "DurationRequested": "%%DurationRequested%%",
  "Timestamp": "%%Timestamp%%"
}

User Interface

Jira Action Button

Once configured, users will see a "Manage JIT Access Request" issue action on relevant Jira tickets. Clicking this button opens the approval interface.

Approval Form

The approval form displays:

Request Information:

The information displayed depends on the request type:

Application Access Requests: User, application/file path, host name, reason, timestamp, and additional technical details (publisher, hashes, parent process, etc.)
Admin Access Requests: User, computer ID, group ID, host name, reason, timestamp, and duration requested

Decision Options:

Approve: Grants access for specified duration
Deny: Denies the access request
Duration: Specify access duration or select "Once" for single-use access

Workflow

1. Request Creation

User requests JIT access (Application Access or Admin Access)
EPM sends webhook to Jira
Jira ticket is automatically created
Assignee is notified

2. Approval Process

Approver opens Jira ticket
Reviews request details
Clicks Manage JIT Access Request action button
Fills out approval form with decision and duration
Submits decision which is immediately recorded as an internal note on the Jira ticket

3. Status Update

Decision is sent to EPM via API
EPM processes the decision
User receives access (if approved)
Jira ticket status is updated via webhook from EPM
If auto-transition is enabled, the ticket is automatically transitioned to the configured state and resolution.

Troubleshooting

Common Issues

Webhook Not Receiving Requests

Verify webhook URL is accessible from EPM
Check authentication credentials match between EPM and Jira
Ensure webhook is enabled in EPM configuration
Review EPM logs for webhook delivery errors

Tickets Not Being Created

Verify project key exists and is accessible
Check issue type name is valid for the project
Ensure custom field exists and is associated with the project
Review Jira app logs for errors

Approval Decisions Not Working

Verify EPM API credentials are correct
Check client ID has appropriate JIT access permissions
Ensure EPM hostname is reachable from Jira
Review API call logs in both systems

Custom Field Issues

Verify custom field ID is correct in app configuration
Ensure field is associated with appropriate screens
Check field permissions allow the app to write values

Logging and Diagnostics

EPM Logs

Check webhook delivery logs in EPM admin console
Review API access logs for incoming decision calls

Jira Logs

Access app logs through Jira admin console
Check system logs for webhook processing errors
Review API call logs for EPM communication

Support

For additional support:

Check the app documentation in Jira
Review EPM integration logs
Contact BeyondTrust support with specific error messages and logs

Security Considerations

Use strong, unique passwords for webhook authentication
Regularly rotate API credentials
Ensure HTTPS is used for all communications
Limit EPM API client permissions to only what's necessary
Monitor webhook and API access logs regularly
Consider implementing IP whitelisting if supported

Best Practices

Test in a non-production environment before deploying
Create dedicated service accounts for the integration
Implement proper approval workflows with appropriate assignees
Monitor integration health regularly
Keep credentials secure and rotate them periodically
Document your configuration for future reference
Train users on the new approval workflow

This guide covers the basic installation and configuration of the BeyondTrust Endpoint Privilege Management - Jira Service Management integration. For additional questions contact BeyondTrust support.