Configure Teamwork Graph CLI permissions
Who can do this? |
Permissions control what the Teamwork Graph CLI (TWG CLI) can do across your connected tools - essentially what it can read, write, manage, and delete.
Configuring permissions correctly lets you give teams the access they need while protecting sensitive data in your organization.
More on managing your permissions settings
Understand different permission types
Teamwork Graph CLI uses three permission types. Each can be configured independently across your connected toolsets:
Permission type | What it controls | Default state |
|---|---|---|
Read | Allows the CLI to retrieve data from your connected apps and the Teamwork Graph. For example, fetching Jira work items or Confluence pages. | Allow all |
Write | Allows the CLI to create or edit objects in your connected apps. For example, creating Jira work items or updating Confluence pages. | Allow all |
Delete | Allows the CLI to delete objects in your connected apps. | Allow all |
Use write and delete access with caution
When write and delete access is enabled, users can create, edit, or delete objects in your Atlassian apps, such as Jira work items and Confluence pages, using the CLI.
Only enable write and delete access for the toolsets your organization genuinely needs.
To change permissions:
Go to Atlassian Administration. Select your organization if you have more than one.
In the sidebar, select Rovo, then select Teamwork Graph CLI.
In Permissions, turn off Allow all permissions by default if you want to customize permissions.
Select a permission category: Read, Write and manage, or Delete.
In the side panel, use Select all or the individual permission toggles to choose which OAuth permissions TWG CLI can request.
Select Save.
Choose whether to Save without revoking or Save and revoke sessions.
Repeat for any other permission categories.
To block TWG CLI OAuth access for your organization, turn off Allow all permissions by default, clear the permissions in each category, save your changes, and choose Save and revoke sessions.
Revoke active sessions
When you save permission changes, Atlassian Administration asks whether to revoke active TWG CLI sessions.
Save without revoking saves the new settings, but users may continue using existing sessions until they need to re-authenticate.
Save and revoke sessions saves the new settings and requires users to authenticate again before TWG CLI can use the updated permissions.
Revoking sessions is recommended when you remove permissions or clear a permission category.
Server-side enforcement
Permissions are enforced server-side by Atlassian. This means they can't be bypassed by modifying the CLI binary or local config. When a command is sent, Atlassian checks the permissions configured for your organization before returning any data or performing any action. If TWG CLI isn't allowed to request the required permission, the command is rejected.
IP and location allowlists
IP and location allowlists configured in your Atlassian organization also apply to CLI requests. If a request originates from a blocked IP address, it's rejected regardless of the user's permissions.
Diagnose a blocked command
A blocked command appears as restricted, and you'll need to re-authenticate. If a command is unexpectedly blocked, check that:
The OAuth permission the command needs is allowed in the relevant permission category.
The request isn't originating from an IP address outside your organization's allowlist.
The user has re-authenticated after recent permission changes or session revocation.
Was this helpful?