Configure Teamwork Graph CLI permissions

Who can do this?
Role: Organization admin, Site admin
Atlassian Cloud: Standard, Premium, Enterprise plans
Atlassian Government Cloud: Not available

Permissions control what the Teamwork Graph CLI (TWG CLI) can do across your connected tools - essentially what it can read, write, manage, and delete.

Configuring permissions correctly lets you give teams the access they need while protecting sensitive data in your organization.

More on managing your permissions settings

Understand different permission types

Teamwork Graph CLI uses three permission types. Each can be configured independently across your connected toolsets:

Permission type

What it controls

Default state

Read

Allows the CLI to retrieve data from your connected apps and the Teamwork Graph. For example, fetching Jira work items or Confluence pages.

Allow all

Write

Allows the CLI to create or edit objects in your connected apps. For example, creating Jira work items or updating Confluence pages.

Allow all

Delete

Allows the CLI to delete objects in your connected apps.

Allow all

Use write and delete access with caution

When write and delete access is enabled, users can create, edit, or delete objects in your Atlassian apps, such as Jira work items and Confluence pages, using the CLI.

Only enable write and delete access for the toolsets your organization genuinely needs.

To change permissions:

  1. Go to Atlassian Administration. Select your organization if you have more than one.

  2. In the sidebar, select Rovo, then select Teamwork Graph CLI.

  3. In Permissions, turn off Allow all permissions by default if you want to customize permissions.

  4. Select a permission category: Read, Write and manage, or Delete.

  5. In the side panel, use Select all or the individual permission toggles to choose which OAuth permissions TWG CLI can request.

  6. Select Save.

  7. Choose whether to Save without revoking or Save and revoke sessions.

  8. Repeat for any other permission categories.

To block TWG CLI OAuth access for your organization, turn off Allow all permissions by default, clear the permissions in each category, save your changes, and choose Save and revoke sessions.

Revoke active sessions

When you save permission changes, Atlassian Administration asks whether to revoke active TWG CLI sessions.

  • Save without revoking saves the new settings, but users may continue using existing sessions until they need to re-authenticate.

  • Save and revoke sessions saves the new settings and requires users to authenticate again before TWG CLI can use the updated permissions.

Revoking sessions is recommended when you remove permissions or clear a permission category.

Server-side enforcement

Permissions are enforced server-side by Atlassian. This means they can't be bypassed by modifying the CLI binary or local config. When a command is sent, Atlassian checks the permissions configured for your organization before returning any data or performing any action. If TWG CLI isn't allowed to request the required permission, the command is rejected.

IP and location allowlists

IP and location allowlists configured in your Atlassian organization also apply to CLI requests. If a request originates from a blocked IP address, it's rejected regardless of the user's permissions.

Diagnose a blocked command

A blocked command appears as restricted, and you'll need to re-authenticate. If a command is unexpectedly blocked, check that:

  • The OAuth permission the command needs is allowed in the relevant permission category.

  • The request isn't originating from an IP address outside your organization's allowlist.

  • The user has re-authenticated after recent permission changes or session revocation.


Share feedback or report a bug

Still need help?

The Atlassian Community is here for you.