Group Membership Automation Rule

With the Group Membership Automation Rule, you can automatically add a JSM requester to one or more groups in a connected application when their access request is approved. This guide walks you through creating and configuring the rule from start to finish.

    Try it for free

Pre-requisites

  1. Jira and JSM admin access You need admin permissions in both Jira and Jira Service Management to create automation rules and manage project settings.
  2. A connected application At least one application must already be connected to the Identity Governance app (via App Connections) before you create a rule. The target application's groups need to load in the rule builder, so confirm this connection is working first.
  3. A JSM project and request type set up for access requests You need an existing JSM project that already has an access request type configured. One request type can only be used by one automation rule, so make sure the request type you plan to use is not already assigned to another rule. 
  4. Custom fields created and added to the request type form Before building the rule, create the following custom fields in Jira and add them to your request type form. The rule builder only shows fields that are already on the form. If there are none, the admin needs to create them.

Admins can assign any name to these custom fields based on their requirements.

  • Access level (single-select list): Use this field if you want to show requesters friendly access option names instead of raw group names.
  • Requested Groups (single-select or multi-select list): Use this field if you want to surface live group names directly from the connected application. Use multi-select if requesters may choose more than one group.
Note: You only need to configure one of the above two fields, not both. Choose based on how you want to present access options to requesters.
  • Access Expires On (date, not date-time): Required only if you want to enforce time-limited access. If access expiration is not needed, this field can be left unconfigured.

Installation

  • Log in to your Jira instance and go to Apps in the left sidebar.
  • Select Explore more apps and search for Identity Governance, Auditing and Access Control via JSM.
  • Click Try it free to start a trial, then follow the prompts to install the app.
  • Once installed, open the app from Apps in the top navigation bar. You will see the app's sidebar with Dashboard, App Connections, Automation, Role Catalog, and Audit Logs.

1: Connect your application

Before creating a rule, confirm your target application is connected.

  • In the app sidebar, click App Connections.
  • Verify your application is listed and its status shows as connected.
  • If it is not connected yet, add it here before continuing.

2: Create a Group Membership rule

  • Click Create rule.
    • Create rule in Identity Governance
  • In the app sidebar, click Automation → Access Management.
    • Access management rule in automation tab
  • You will see a rule type selection screen. Click Group Membership.
    • Create group membership rule

3: Configure the Project block

The Project block is the trigger for your rule. It tells the app which JSM project and request type to watch.

  • In the rule builder, click the Project block to open its settings panel on the right.
  • Under Project, select your JSM project from the dropdown.
  • Under Request type, select the request type designated for access requests.
    • Group membership project config

Once both are selected, the field mapping options in the next block will become available.

4: Configure Access Definition and Mapping

This block defines which application to provision into, how long access lasts, and how the requester selects their group.

  • Click the Access Definition and Mapping block to open its settings panel.

Target Application

  • Under Application, select the connected application where group membership will be assigned.
  • Confirm that groups load in the dropdown before moving on.

Create User if Missing (optional)

  • If you want the app to automatically create the requester in the target application when they do not already exist there, toggle Create user if missing on.
  • Skip this if your application is invite-based (such as GitHub or Zoom), as this option will not be available for those.

Access Duration

  • Select Permanent if access should not expire.
  • Select Temporary if access should expire on a set date, then map it to the Access expires on the date field you created. The requester will need to fill in a date on every request, this field is never pre-filled automatically.
Group membership access definition and mapping

Configuration Mode

Choose how the requester will select their group when submitting a request.

  • Access Options: Choose this if you want to show requesters friendly labels (such as "Read-only access" or "Full access") that you define. The underlying group names stay hidden from the requester.
    1. Click Add access option, give it a name, and map it to one or more real groups in the connected application.
    2. Map the Access level field to the single-select custom field you created.
      3. Access definition config mode access options
  • Dynamic Mapping: Choose this if you want the requester to pick directly from the live group names in the connected application.

    • Map the JSM field for the group to the single-select or multi-select custom field you created.

    Config mode dynamic mapping from JSM

After you save the rule, the app will automatically write the correct options into the mapped JSM field so requesters can select from them when submitting a request.

5: Configure the Approval block

  • Click the Approval block to open its settings panel.
  • Configure who should approve access requests for this rule.
    • Group membership approval
Note: The Approval block requires the Project block to be completed first. If you see a warning message, go back to Step 3 and confirm both the project and request type are selected.

6: Configure Access Decision Mapping

This block tells the app what to do when a request is approved or rejected.

  • Click the Access Decision Mapping block to open its settings panel.
  • Under Approval Status (JSM), select the JSM workflow status that means a request has been approved. When a ticket moves to this status, the app will add the requester to the group.
  • Under Rejection Status (JSM), select the JSM workflow status that means a request has been rejected. When a ticket moves to this status, no group access is granted.
    • Group membership access decision mapping

The app automatically posts a comment on the ticket when either outcome is reached, so requesters and approvers have a clear record of what happened.

7: Save the rule

  • Click Save Rule in the top-right corner.
  • After saving, open the JSM request type form and check that the mapped dropdown field is showing the expected options. For Access Options mode, you should see the friendly names you defined. For Dynamic Mapping mode, you should see the live group names from the connected application.
  • If the options have not appeared yet, save the rule a second time to trigger the sync.

Test the rule

Before going live, run a quick test.

  • Submit a test access request through the JSM portal.
  • Move the ticket to your approved status.
  • Confirm the requester has been added to the expected group in the target application.
  • Check that a comment was posted on the ticket confirming the outcome.

Did this page help you?

miniOrange Atlassian Contact Us

Book a Free Consultation with
Our Experts Today!

Schedule a call now!


Contact Us

@ Copyright 2026 miniOrange Security Software Pvt Ltd. All Rights Reserved.

Privacy Policy Terms of Service Cookies Preferences