Jira Service Management
ImportantThis integration is available for purchase through the Atlassian Marketplace. Search for BeyondTrust Privileged Remote Access Integration for Jira to find and purchase the app.
Overview
The BeyondTrust Privileged Remote Access (PRA) - Jira Service Management integration allows organizations to streamline their privileged access workflows by enabling technicians to launch secure remote sessions directly from Jira tickets, automatically import session data back into Jira, and enforce change management approval processes.
Key Features
| Feature | Description |
|---|---|
| Jump to Assets | Technicians can launch BeyondTrust access sessions from within Jira tickets using BeyondTrust Jump Technology, connecting to assets associated with tickets. |
| Session Data Import | BeyondTrust access session data is automatically written back to Jira tickets after session completion, including file transfers, system information, session notes, recordings, and chat messages. |
| Change Management Endpoint Approval | BeyondTrust PRA can be configured to require ticket validation before allowing access to Jump Items, verifying that the ticket exists, is assigned to the requesting user, and is associated with the target asset. |
| Custom Links | Access Jira tickets directly from the BeyondTrust Access Console for quick context and reference. |
| Configurable Event Filtering | Control which session events are imported into Jira to match your documentation requirements. |
Architecture
The integration is implemented as a Forge app written in JavaScript that:
- Provides a custom user interface within Jira for launching Jump sessions to assets associated with tickets
- Validates endpoint approval requests from PRA when change management workflows are enabled, checking ticket status, assignee match, and asset association
- Receives webhook notifications from PRA when access sessions end
- Imports session data into Jira tickets, including detailed event information and session recordings
- Communicates with PRA via OAuth-authenticated API calls
Integration Flow
- Technician opens a Jira ticket with an associated asset
- Technician clicks Jump to Asset with BeyondTrust PRA
- App generates a session request to PRA
- PRA opens connection to the asset (via web console or download)
- When session ends, PRA sends webhook to Jira
- Session details are imported and displayed in the Jira ticket
Prerequisites
Before installing and configuring the integration, ensure you have:
- BeyondTrust PRA appliance (B Series physical or virtual) with administrative access
- Network connectivity from the PRA appliance to Jira Service Management over HTTPS (TCP 443)
- Administrative access to the /login interface for configuration
- At least one configured Jump Item for testing
Installation Steps
Step 1: Install the Jira App
Install the BeyondTrust Privileged Remote Access app by navigating to your Jira Apps marketplace, searching for the app, and completing the installation prompts.
For more information, see Install the Jira app
Step 1: Install the Jira app
Steps
- Navigate to your Jira instance
- Go to Apps >Find new apps (or Manage apps)
- Search for "BeyondTrust Privileged Remote Access"
- Click Install and follow the prompts
- Wait for the installation to complete
Step 2: Configure Asset Association Field
Steps
The integration requires a field in your Jira issues to associate tickets with assets. This can be either:
- An Asset field that links to assets from the Jira Assets module
- A custom text field where asset names are manually entered
Option A: Using Jira Assets Field
If you are using Jira Service Management with the Assets module:
- Navigate to Project settings > Issue types
- Select the issue types you want to use with this integration (e.g., Incident, Service Request)
- On the issue type, click Fields
- Add or ensure an Assets field is present
- Note the field name for configuration (typically something like "Assets" or "Configuration Items")
Option B: Using Custom Text Field
If you prefer to use a simple text field:
- Navigate to Project settings > Fields
- Click Create field or follow Atlassian's documentation
- Create a field with the following properties:
- Field Type: Short text (single line) or Assets
- Name: Asset Name (or your preferred name)
- Description: Name of the asset to connect via BeyondTrust PRA
- Associate the field with appropriate screens and issue types
- Note the field name for later configuration
Configuration
Configure BeyondTrust Privileged Remote Access
All steps in this section take place in the BeyondTrust /login administrative interface. Access your BeyondTrust interface by going to the hostname of your B Series Appliance followed by /login (e.g., https://support.example.com/login).
Step 1: Verify API is Enabled
The integration requires the BeyondTrust XML API to be enabled.
For more information, see Verify API is Enabled
Step 1: Verify API is Enabled
Steps
- In /login, navigate to Management > API Configuration
- Verify that Enable XML API is checked
- If not enabled, check the box and click Save
Step 2: Create an OAuth API Account
Steps
- In /login, navigate to Management > API Configuration
- Click Add
- Configure the following settings:
- Enabled: ā Check to enable
- Name: Jira Integration API (or your preferred name)
- OAuth Client ID: This will be auto-generated; save this for Jira configuration
- OAuth Client Secret: This will be auto-generated; save this for Jira configuration
- Under Permissions, check the following:
- Command API: Full Access
- Reporting API: Allow Access to Access Session Reports and Recordings
- Click Save at the top of the page
Keep the OAuth Client ID and OAuth Client Secret secure. You need these values when configuring the Jira app.
Step 3: Add Outbound Events
Steps
- In /login, navigate to Management > Outbound Events
- Click Add
- Configure the following settings:
- Name: Jira Session End (or your preferred name)
- URL: This will be provided in the Jira app configuration page (see Configure the Jira app )
- Events to Send: ā Check Access Session End
- Enabled: ā Check to enable
- Click Save
Step 4: Set Up Custom Link (Optional)
Steps
- In /login, navigate to Console Settings > Custom Links
- Click Add
- Configure the link:
- Name: View Jira Ticket (or your preferred name)
- URL: https://example.atlassian.net/browse/%SESSION.CUSTOM.EXTERNAL_KEY%
- Replace example.atlassian.net with your actual Jira instance URL
- The %SESSION.CUSTOM.EXTERNAL_KEY% macro will be replaced with the ticket ID
- Click Save
Step 5: Set Up Change Management Workflow (Optional)
Steps
- In /login, navigate to Jump > Jump Policies
- Under Ticket System, configure the following:
- Ticket System URL: This is provided in the Jira app configuration page (see Configure the Jira app )
- CA Certificate: Upload the CA certificate from your Jira instance (typically not required for Atlassian Cloud)
- User Prompt: Enter a prompt such as "Enter your Jira ticket ID to proceed"
- Click Save
- Under the Jump Policies section, click Add to create a new policy, or click Edit next to an existing policy
- Configure the Jump Policy:
- Name: Enter a descriptive name (e.g., "Jira Approval Required")
- Under Ticket System, check Require a ticket ID before a session starts
- Configure other policy settings as needed for your environment
- Click Save
The Jump Item must be configured to use this Jump Policy for the change management workflow to be enforced. The policy should be applied to Jump Items or Jump Groups that require approval.
Configure the Jira App
Access the app configuration via Apps > Manage Apps > BeyondTrust Privileged Remote Access
Required Settings
| Setting | Description | Example |
|---|---|---|
| Enable Integration | Master switch to enable/disable the integration | ā Enabled |
| Host Name | PRA appliance hostname (without protocol) | pra.yourcompany.com |
| Client ID | OAuth Client ID from PRA API account | (from PRA API configuration) |
| Client Secret | OAuth Client Secret from PRA API account | (from PRA API configuration) |
| Asset Field Name | Name of the Jira field containing asset information | Assets, Asset Name, Configuration Items |
Optional Settings
| Setting | Description | Example |
|---|---|---|
| Use Web Rep Console for Jump To | Open sessions in browser tab instead of downloading session file | ā Enabled (recommended) |
| Auto Associate With User | Update ticket assignee to match primary session representative) | ā Disabled |
| Events to Exclude | Select which session event types should NOT be imported into Jira | (none by default) |
Integration URLs
After configuring the basic settings and clicking Save, the app will display two important URLs:
- Outbound Event URL: Use this in PRA's Outbound Events configuration (Step 3 in PRA configuration)
- Endpoint Approval URL: Use this as the Ticket System URL in PRA's Jump Policies (Step 6 in PRA configuration)
Configuration Validation
The app automatically validates the configuration when you click Save and display:
- ā Configuration Valid: All settings are correct and PRA is accessible
- ā Configuration Invalid: There is an error in the configuration; check the error message and verify:
- Host Name is correct and accessible
- Client ID and Client Secret are correct
- PRA appliance is accessible from Jira over HTTPS
Complete PRA Configuration
Now that you have the URLs from Jira, return to PRA to complete the configuration:
Update Outbound Event URL
- In PRA /login, navigate to Management > Outbound Events
- Click Edit on the Jira Session End event you created earlier
- Set the URL to the Outbound Event URL from the Jira app configuration page
- Click Save
Update Endpoint Approval URL (if using change management)
- In PRA /login, navigate to Jump > Jump Policies
- Under Ticket System, set the Ticket System URL to the Endpoint Approval URL from the Jira app configuration page
- Click Save
Use Cases
Organizations using Jira Service Management can integrate with BeyondTrust PRA to provide secure privileged access to critical assets from within Jira, satisfy internal and external compliance requirements with comprehensive audit trails, and integrate with change management processes.
Jump to Asset from Jira Ticket
Technicians can leverage BeyondTrust Jump Technology to access an asset associated with a ticket directly from the ticket interface.
Workflow
- Technician opens a Jira ticket (incident, service request, etc.)
- The ticket has an asset associated via the configured asset field
- Technician clicks the "ā¦" menu (more actions) at the top right
- Selects Jump to Asset with BeyondTrust PRA
- A dialog appears with session information and a Jump to... link
- If Use Web Rep Console is enabled:
- Clicking the link opens a new browser tab to the PRA web console
- The session automatically connects to the asset
- If Use Web Rep Console is disabled:
- A session file is downloaded
- Opening the file launches the PRA Access Console
- When the session ends, session data is automatically imported into the Jira ticket
Import Session Data into Jira
Once the BeyondTrust access session ends, Jira is automatically updated with information gathered during the session.
Imported Session Data includes:
- Session Details: Start time, end time, duration, session ID
- User Information: Representative(s) involved, customer information
- System Information: Hostname, operating system, IP addresses
- File Transfers: List of files transferred during the session, with sizes and directions
- Chat Messages: All chat messages exchanged during the session
- Session Notes: Any notes added by representatives
- Session Recordings: Links to session recordings in PRA (if enabled)
- Session Events: Configurable list of events that occurred during the session
Change Management Endpoint Approval
BeyondTrust access requests can require a Jira ticket ID to be entered as part of the access request process. When enabled, the integration validates the ticket before allowing access.
Workflow
- User opens the PRA Access Console
- User attempts to connect to a Jump Item that requires ticket validation
- PRA prompts: "Enter your Jira ticket ID to proceed" (or your custom prompt)
- User enters a Jira ticket ID (e.g., "SD-1234")
- PRA sends an approval request to Jira with:
- Ticket ID
- User information (email, display name, username)
- Target asset name (computer name)
- The Jira app validates:
- ā Ticket Exists: The specified ticket ID is valid
- ā Ticket Active: The ticket is not in a closed/resolved/cancelled state
- ā User Authorized: The requesting user matches the ticket's assignee (by email or name)
- ā Asset Match (optional): The target asset name matches the ticket's associated asset
- If all validations pass:
- Approval is sent to PRA
- Session proceeds normally
- The ticket ID is linked to the session
- Session data is imported to the ticket when complete
- If any validation fails:
- Denial is sent to PRA with a specific error message
- Session is blocked
- User sees the error message explaining why access was denied
Validation Details
The endpoint approval process performs the following checks:
- Ticket Lookup: Searches for the ticket by ticket ID (e.g., "SD-1234")
- Assignee Validation: Matches the PRA user against the Jira ticket assignee using:
- Email address match
- Display name match (private or public)
- Username match
- Asset Validation: Compares the PRA Jump Item computer name with the asset name from the ticket (case-insensitive)
Common Denial Reasons
- "The specified ticket, [SD-1234], could not be found. Please provide a valid ticket number."
- "The specified ticket, [SD-1234], is not assigned to anyone."
- "The user that initiated the PRA session does not match the assignee of ticket [SD-1234]."
- "The specified ticket, [SD-1234], does not appear to be associated with an asset named [WORKSTATION-01]."
Access Jira Tickets from Access Console
Using BeyondTrust's custom link functionality, users can access the associated Jira ticket directly from within the Access Console. This saves time searching for the record in Jira and provides the user with any available session details, history, or other context to help resolve issues quickly.
Steps
- Open the PRA Access Console
- View an active or completed session that has a linked Jira ticket
- Click the View Jira Ticket custom link (or whatever name you configured)
- The Jira ticket opens in your default browser
Workflow Examples
- Customer reports an issue
- Support technician creates a Jira ticket and assigns it to themselves
- Technician adds the customer's asset to the ticket's asset field
- Technician clicks Jump to Asset with BeyondTrust PRA
- Session launches in browser or via downloaded console
- Technician resolves the issue during the session
- Technician adds notes and ends the session
- Session data automatically appears in the Jira ticket
- Technician reviews the imported data and closes the ticket
Troubleshooting
Common Issues
Issues
| Issue | Symptoms | Resolution |
|---|---|---|
| App configuration validation fails |
|
|
| Jump to Asset button not appearing |
|
|
| Sessions not importing into Jira |
|
|
| Endpoint approval always denies access |
|
|
| Wrong Asset field configured |
|
|
| Custom link doesn't work |
|
|
Logging and Diagnostics
- Outbound Event Logs: Management > Outbound Events - Check the status column for delivery failures
- API Access Logs: Check for incoming API calls from Jira
- System Logs: Review general system logs for errors related to the integration
Testing the Integration
- Create a test ticket in Jira
- Assign the ticket to your user account
- Add a known Jump Item asset to the ticket's asset field
- Click the "ā¦" menu and select Jump to Asset with BeyondTrust PRA
- Verify the session launches successfully
- Perform a simple action (e.g., view a file, send a chat message)
- End the session
- Wait 1-2 minutes
- Refresh the Jira ticket
- Verify session data appears in the ticket activity
Support
For additional support:
- Review this documentation thoroughly
- Check the app logs in Jira for specific error messages
- Contact BeyondTrust support with:
- Product version information (PRA and Jira app versions)
- Detailed description of the issue
- Configuration screenshots (with sensitive data redacted)
- Specific error messages
- Timestamps and affected ticket/session IDs
Best Practices
- Test in Development First: Install and configure the integration in a Jira test/sandbox environment before production deployment
- Pilot Program: Start with a small group of users and gradually expand
- Document Customizations: Maintain documentation of any custom configurations specific to your environment
- Training: Provide training to support technicians on the new workflow
Updated 1 day ago