BeyondTrust Endpoint Privilege Management - Jira Service Management Integration Guide

The BeyondTrust Endpoint Privilege Management for Cloud (EPM) - Jira Service Management integration allows organizations to streamline their Just-In-Time (JIT) Application Access approval workflow. This integration automatically creates Jira tickets when EPM JIT access requests are submitted and enables approvers to make decisions directly from within Jira.

Key Features

Automated Ticket Creation: Automatically creates Jira tickets when JIT Application Access requests are submitted in EPM
Integrated Approval Workflow: Approve or deny requests directly from Jira using custom action buttons
Real-time Updates: Status updates are synchronized between EPM and Jira
Comprehensive Request Details: All relevant request information is captured in the Jira ticket
Customizable Templates: Configurable webhook templates for different event types

Architecture

The integration is implemented as a Forge app written in JavaScript that:

Receives webhook messages from EPM when JIT Application Access tickets are created
Creates corresponding Jira tickets with all relevant request information
Provides a custom user interface within Jira for approving/denying requests
Communicates decisions back to EPM via the management API

Prerequisites

Before installing and configuring the integration, ensure you have:

BeyondTrust EPM instance with administrative access
Jira Service Management or Jira Software with appropriate permissions
Project Administrator rights in Jira to create custom fields and configure projects
EPM API credentials with JIT access permissions

Installation Steps

Step 1: Install the Jira App

Navigate to your Jira instance
Go to Apps → Find new apps
Search for "BeyondTrust Privilege Management"
Click Install and follow the prompts

Step 2: Create Required Custom Field in Jira

Follow the instructions to Add a new custom field
Configure the field with the following values:
- Name: beyondTrustEpmJitRequestSystemId
- Description: BeyondTrust PMC JIT Request System ID
- Field Type: Simple text
Associate the field with appropriate screens and projects
Note the Field ID for later configuration

Configuration

EPM Web Configuration

1. Configure Webhook Settings

Navigate to: EPM → Configuration → Webhook Settings
Click Create Webhook
Configure the following settings:
- Name: Jira - App Access - Create (this is just an example; the name can be any value)
- URL: [Available in the Webhook Settings section of the Jira app's configuration page]
- Event: JIT Application Access Ticket Created
- Content Type: application/json
- Template: Use the Create Template (see templates section below)
- Authentication Type: Basic
- Authentication Username: [Create a dedicated webhook user]
- Authentication Password: [Create a secure password]
- Enable Webhook: ✅ Check to enable

Repeat the steps above to create a second webhook. Use the same settings except for the Name, Event, and Template:

Name: Jira - App Access - Update (this is just an example; the name can be any value)
Event: JIT Application Access Decision Updated
Template: Use the Update Template (see templates section below)

2. Configure JIT Access Settings

Navigate to: EPM → Configuration → JIT Access Settings
Configure the following under Application Access:
- ✅ Enable JIT Access
- Choose: EPM
- Save Changes

3. Configure API Settings

Navigate to: EPM → Configuration → API Settings
Create a new API Account with the following permissions:
- Audit: Read Only
- Reporting: Read Only

Jira App Configuration

Access the app configuration through: Apps → Manage Apps → BeyondTrust Privilege Management

Required Settings

Setting	Description	Example
Enable Integration	Master switch to enable/disable integration	`true`
Service Hostname	EPM services hostname	`pmc-services.yourcompany.com`
Client ID	EPM API client ID with JIT access	`pmc-api-account-client-id`
Client Secret	EPM API client secret	`[pmc-api-account-client-secret]`
Basic Auth Username	Username for webhook authentication	`pmc-webhook-user`
Basic Auth Password	Password for webhook authentication	`[secure-password]`
Project Key	Jira project where tickets will be created	`PMCJIT` (example only)
Issue Type Name	Type of issue to create	`Access Request`
Issue Default Summary	Default summary template	`EPM JIT Application Access Request - %%User%%`
Enable Automatic Reporter	Set reporter based on app launcher	`true` (if desired)
Assignee Name	Default assignee for tickets	`John Doe`
Custom Field ID	ID of the custom field created earlier	`customfield_10001`

Optional Settings

URL: Custom webhook endpoint URL (if different from default)

Webhook Templates

Ticket Created Template

Use this template for URM_NATIVE_TICKET_CREATED events:

{
  "EventType": "%%EventType%%",
  "RequestId": "%%RequestId%%",
  "TenantId": "%%TenantId%%",
  "Timestamp": "%%Timestamp%%",
  "TicketNumber": "%%TicketNumber%%",
  "requestInfo": {
    "applicationType": "%%ApplicationType%%",
    "action": "%%Action%%",
    "workstyle": "%%Workstyle%%",
    "reason": "%%Reason%%",
    "user": "%%User%%",
    "hostName": "%%HostName%%",
    "trustedOwnership": "%%trustedOwnership%%",
    "productDescription": "%%ProductDescription%%",
    "driveType": "%%DriveType%%",
    "btZoneIdentifierExists": "%%BtZoneIdentifierExists%%",
    "productCode": "%%ProductCode%%",
    "upgradeCode": "%%UpgradeCode%%",
    "clsId": "%%ClsId%%",
    "comDisplayName": "%%ComDisplayName%%",
    "token": "%%Token%%",
    "tokenAssignmentIsShell": "%%TokenAssignmentIsShell%%",
    "uacTriggered": "%%UacTriggered%%",
    "downloadSourceUrl": "%%DownloadSourceUrl%%",
    "userLanguage": "%%UserLanguage%%",
    "sha1Hash": "%%Sha1Hash%%",
    "sha256Hash": "%%Sha256Hash%%",
    "filePathObjectId": "%%FilePathObjectId%%",
    "cmdArgs": "%%CmdArgs%%",
    "publisher": "%%Publisher%%",
    "productName": "%%ProductName%%",
    "productVersion": "%%ProductVersion%%",
    "fileVersion": "%%FileVersion%%",
    "workstyle": "%%Workstyle%%",
    "applicationGroup": "%%ApplicationGroup%%",
    "message": "%%Message%%",
    "messageId": "%%MessageId%%",
    "hostType": "%%HostType%%",
    "osName": "%%OsName%%",
    "osVersion": "%%OsVersion%%",
    "ComputerGroup": "%%ComputerGroup%%",
    "GroupId": "%%GroupId%%",
    "requestVersion": "%%RequestVersion%%",
    "hostedFilePath": "%%HostedFilePath%%",
    "parentProcess": "%%ParentProcess%%",
    "storeAppName": "%%StoreAppName%%",
    "serviceName": "%%ServiceName%%",
    "serviceAction": "%%ServiceAction%%",
    "authRequestUri": "%%AuthRequestUri%%",
    "bundleInfoDescription": "%%BundleInfoDescription%%",
    "reputationScoreDateTime": "%%ReputationScoreDateTime%%",
    "reputationScore": "%%ReputationScore%%",
    "reputationIntegrationType": "%%ReputationIntegrationType%%"
  }
}

Decision Update Template

Use this template for URM_NATIVE_DECISION_UPDATE events:

{
  "EventType": "%%EventType%%",
  "RequestId": "%%RequestId%%",
  "TenantId": "%%TenantId%%",
  "TicketNumber": "%%TicketNumber%%",
  "Timestamp": "%%Timestamp%%",
  "requestInfo": {
    "Decision": "%%Decision%%",
    "DecisionTime": "%%DecisionTime%%",
    "DecisionPerformedByUser": "%%DecisionPerformedByUser%%",
    "Duration": "%%Duration%%",
    "Timestamp": "%%Timestamp%%"
  }
}

User Interface

Jira Action Button

Once configured, users will see a "Manage JIT Access Request" issue action on relevant Jira tickets. Clicking this button opens the approval interface.

Approval Form

The approval form displays:

Request Information:

User requesting access
Application/file path
Host name
Reason for access
Timestamp
Additional technical details

Decision Options:

Approve: Grants access for specified duration
Deny: Denies the access request
Duration: Specify access duration or select "Once" for single-use access

Workflow

1. Request Creation

User requests JIT access
EPM sends webhook to Jira
Jira ticket is automatically created
Assignee is notified

2. Approval Process

Approver opens Jira ticket
Reviews request details
Clicks Manage JIT Access Request action button
Fills out approval form with decision and duration
Submits decision which is immediately recorded as an internal note on the Jira ticket

3. Status Update

Decision is sent to EPM via API
EPM processes the decision
User receives access (if approved)
Jira ticket status is updated

Troubleshooting

Common Issues

Webhook Not Receiving Requests

Verify webhook URL is accessible from EPM
Check authentication credentials match between EPM and Jira
Ensure webhook is enabled in EPM configuration
Review EPM logs for webhook delivery errors

Tickets Not Being Created

Verify project key exists and is accessible
Check issue type name is valid for the project
Ensure custom field exists and is associated with the project
Review Jira app logs for errors

Approval Decisions Not Working

Verify EPM API credentials are correct
Check client ID has appropriate JIT access permissions
Ensure EPM hostname is reachable from Jira
Review API call logs in both systems

Custom Field Issues

Verify custom field ID is correct in app configuration
Ensure field is associated with appropriate screens
Check field permissions allow the app to write values

Logging and Diagnostics

EPM Logs

Check webhook delivery logs in EPM admin console
Review API access logs for incoming decision calls

Jira Logs

Access app logs through Jira admin console
Check system logs for webhook processing errors
Review API call logs for EPM communication

Support

For additional support:

Check the app documentation in Jira
Review EPM integration logs
Contact BeyondTrust support with specific error messages and logs

Security Considerations

Use strong, unique passwords for webhook authentication
Regularly rotate API credentials
Ensure HTTPS is used for all communications
Limit EPM API client permissions to only what's necessary
Monitor webhook and API access logs regularly
Consider implementing IP whitelisting if supported

Best Practices

Test in a non-production environment before deploying
Create dedicated service accounts for the integration
Implement proper approval workflows with appropriate assignees
Monitor integration health regularly
Keep credentials secure and rotate them periodically
Document your configuration for future reference
Train users on the new approval workflow

This guide covers the basic installation and configuration of the BeyondTrust Endpoint Privilege Management - Jira Service Management integration. For additional questions contact BeyondTrust support.