# Install Nightfall for Jira
This document explains the process of installing Nightfall for Jira.
## Prerequisites
The installation of Jira integration requires you to have the following prerequisites
* An Atlassian tenant with Jira enabled.
* Standard Atlassian user account used as a Service Account - A regular Atlassian user account (has a password, can log into the Atlassian UI) that is shared or dedicated for system use rather than belonging to a specific person.
* Has a password and can log in via the browser
* Has its own dedicated email (e.g., [`nightfall-jira@company.com`](mailto:nightfall-jira@company.com) or an AD account)
* ❌ Not Supported - Atlassian Service Account (Programmatic)
Atlassian's native "service account" feature, designed for programmatic access only.
* No password - cannot log in via the browser UI
* Cannot complete Nightfall's OAuth consent screen
* Also lacks the `issue:redact` scope, so Jira historical redaction would not work even if supported
* Cannot be created programmatically (must be created manually in Atlassian Admin)
* You must have access and must be logged in to the Atlassian account.
## How Nightfall Uses the Connected Account
| **Function** | **Credentials Used** |
| ---------------------------------------------- | ---------------------------------------- |
| OAuth flow - discovering Jira/Confluence sites | Installing user (service account) |
| All DLP scanning | Nightfall App credentials - NOT the user |
| Jira historical redaction API | Installing user (service account) |
| All other APIs | Nightfall App credentials |
**Key implication:** Revoking the service account's Atlassian permissions will NOT affect scanning. It only affects Jira historical redaction, which falls back to replacing text with `[Sensitive Data Removed]` instead of native API-based redaction.
## Recommended Setup: Service Account Installation
Follow these steps for a **fresh installation** or when **re-authorizing** to switch from an individual account to a service account.
**Step 1 - Create the Atlassian Service Account**
Create a dedicated Atlassian user account to serve as the service account:
1. Use a shared mailbox or AD account email (e.g., `nightfall-jira@company.com`)
2. This must be a **standard Atlassian user account** - it needs a password and must be able to log into Atlassian via the browser
3. Assign it the necessary Jira/Confluence admin permissions to complete the OAuth flow
**Step 2 - Add the Service Account as a Nightfall System Administrator**
> This step is critical. It ensures that the service account email (not a personal admin's email) is shown in Nightfall's Integrations page.
1. Log into the Nightfall console as a current admin
2. Go to **Settings → Users**
3. Invite the service account email (e.g., `nightfall-jira@company.com`) and assign the **System Administrator** role
4. Have the service account complete the Nightfall invitation/login flow
**Step 3 - Install / Re-authorize Jira Using the Service Account**
Use an **incognito/private browser window** for the entire flow to avoid conflicts with any personally logged-in Atlassian accounts.
1. Open an incognito tab
2. **Log into Jira/Atlassian** with the service account credentials
3. **In the same incognito tab**, open the Nightfall console and log in as the **service account user** (the System Administrator added in Step 2)
4. Navigate to **Configuration → Integrations → Jira**
5. Click **"+ Add Site"**
6. Select your Atlassian site from the dropdown
7. Click **"Accept"** to grant Nightfall permissions
8. Click the **Jira icon** to open the Atlassian Marketplace
9. Select **"Get it now"** on the DLP for Jira app page
10. Choose your site and click **"Install app"** → confirm **"Get it now"**
After installation, Nightfall automatically configures the integration and shows an "Alert Destination" label.
**Step 4 - Verify**
In Nightfall Console → Integrations → Jira, confirm:
1. The **email shown** matches the service account email (e.g., `nightfall-jira@company.com`)
2. The site appears with "Alert Destination" status
If the email shown matches the service account - setup is complete and correct.
When you return to the Nightfall application, the appearance of the JIRA icon changes once the **DLP for Jira** app is installed. This confirms the successful installation of the **DLP for Jira** app.
{% hint style="info" %}
**Important**
Once you install the DLP for Jira application on an Atlassian account, Nightfall automatically configures the Alert platform with this Jira account. You can confirm this by navigating to **Settings** -> **Alert platforms** in Nightfall.
{% endhint %}
In the Atlassian integration page, there is a phrase attached to this Atlassian account known as **Alert Destination** which also confirms that this Jira is used as an Alert platform.
When you install **DLP for Jira** on another Atlassian account, the alert destination automatically shifts to the new Atlassian account on which the DLP for Jira is recently installed.
## Re-authorizing an Existing Connection (No Fresh Install Needed)
If the integration already exists but was set up with an individual admin account, you can switch to a service account without disconnecting or reinstalling.
1. Complete Steps 1 and 2 above (create service account + add to Nightfall as System Admin)
2. Open an incognito tab; log into Jira with the service account
3. Open Nightfall console in the same tab; log in as the service account Nightfall user
4. Go to **Integrations → Jira → click "+ Add Site"**
5. Complete the OAuth flow with the service account
The credentials are **overwritten in-place**. No disruption to policies, violations, or scanning.
