Password Reset in Jira

"I've forgotten my password, could you please reset it?" - Administrators tend to get this question a little too often... Whenever possible, we try to eliminate repetitive tasks like these through automation. In this particular case, automating password resets means less context switching and low-value tasks for admins, which is already a big win in itself. But what makes it really great is that the instant self-service functionality improves user (or customer) satisfaction.

In this blog, we'll tell you exactly how we automate resetting user passwords that are synchronized with an LDAP Server.

For this, we need the following apps:

• Jira Service Desk
• Script Runner for Jira (to generate random passwords and clear the issue history)
• A tool to send SMS notifications like WebHook or Notifications for Jira (to send the SMS to the selected user's telephone attribute)
• Active Attribute Sync (to sync additional LDAP attributes like telephone numbers to Jira. Also allows to reset passwords via post-functions)
• Jira Suite Utilities (to clear field values)

 In order to set this up you will need to configure the following:

• Create an issue type Password Reset
• Create the custom fields User (User Picker), Password (Text), Telephone number (Text)
• Create a Jira Service Desk request type
• Create a matching workflow

Jira Service Desk

We've created a simple request type for users to request a password reset. Obviously, the user that needs a password reset can't log in so we allow you to make the request for someone else. To prevent random password resets for other users, we have limited the approval of the password reset to our service desk team.

Once the request has been submitted, one of our Jira Service Desk agents can pick it up and approve the request.

Workflow

So what happens when the Jira Service Desk agent clicks on Reset Password?

1. First of all, the user's LDAP telephone number is copied into a custom field. That field is needed to send a text message later on.
2. Then a random password is generated and copied into a custom field
3. The user's password is then reset in LDAP
4. A text message is sent with the new password to the phone number found in the custom field
5. The password value is then cleared
6. The entire history of the ticket is cleared in order to ensure that sent passwords cannot be retrieved

Order matters

When configuring such a workflow, make sure that the post-functions you're executing are in the correct order. Below is a screenshot of our setup:

Sending SMS messages

In our case, we're using an app that is unfortunately no longer available in the Marketplace, but is still supported for us by Polontech. To re-create this functionality you could either build a small app yourself or take a look at Notifications for Jira or make use of a WebHook.

Code snippets

We've used Script Runner to help us generate a random password, but also to clear the history of the issue so the sent password cannot be retrieved by anyone. Here are both those scripts:

Random password

import org.apache.commons.lang3.RandomStringUtils
import java.security.SecureRandom
import com.atlassian.jira.component.ComponentAccessor;
import com.atlassian.jira.issue.fields.CustomField;
import com.atlassian.jira.event.type.EventDispatchOption;
import com.atlassian.jira.issue.MutableIssue;
import com.atlassian.jira.issue.index.IssueIndexingService
import com.atlassian.jira.util.ImportUtils

def passwordLength = 12
def possibleCharacters = (new String("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789~`!@#%^&*()-_=+[{]}\\|;:\'\",<.>/?")).toCharArray();
String randomStr = RandomStringUtils.random(passwordLength, 0, possibleCharacters.length-1, false, false, possibleCharacters, new SecureRandom() );

/* Custom field for password */
CustomField passwordCF = ComponentAccessor.getCustomFieldManager().getCustomFieldObject(11701L); // ID refers to the custom field ID

/* Retrieve the issue from the workflow */
MutableIssue mi = (MutableIssue) issue;

/* Set the password */
mi.setCustomFieldValue(passwordCF, randomStr);

/* Update the issue */
def currentUser = ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser()
ComponentAccessor.getIssueManager().updateIssue(currentUser, mi, EventDispatchOption.DO_NOT_DISPATCH, false);

/* Re-index the issue */
def issueIndexingService = ComponentAccessor.getComponent(IssueIndexingService)
boolean wasIndexing = ImportUtils.isIndexIssues();
ImportUtils.setIndexIssues(true);
issueIndexingService.reIndex(issue);
ImportUtils.setIndexIssues(wasIndexing);

Clear issue history

import com.atlassian.jira.issue.MutableIssue;
import com.atlassian.jira.issue.Issue;
import com.atlassian.jira.component.ComponentAccessor
 
def issueManager = ComponentAccessor.getIssueManager()
def changeHistoryManager = ComponentAccessor.getChangeHistoryManager()
 
/* Retrieve the issue from the workflow */
MutableIssue issue = (MutableIssue) issue;
 
/* Clear the issue history */
changeHistoryManager.removeAllChangeItems(issue)

Ok, so admittedly, implementing this means a bit of an investment, but in the end, depending on the size of your organization, this solution could save administrators a lot of time and aggravation. Plus, as you can read, it's actually pretty simple to set up. The apps we used here are also really useful for automating other things, so they're quite good to have anyways. The only thing that had to be custom made were the two ScriptRunner scripts and you can basically reuse them as-is.

Want to know more about what we do? Read our other blog posts or get in touch with us and see how we can help you automate your own processes. Also, check out Jira Admin trainings that aim to empower admins and to help them implement these kinds of solutions themselves.

Get in touch!