Issue Summary

Currently, the Slack integration with Jira Cloud does not provide sufficiently granular permission controls to restrict user actions and notifications in accordance with strict InfoSec requirements. Organizations need the ability to limit the integration to one-way notifications and prevent unlinked Slack users from accessing Jira data or interacting with the bot beyond basic notifications.

Steps to Reproduce

1. Integrate Jira Cloud with a Slack workspace using the official Atlassian Slack integration.

1. Configure channel notifications and attempt to restrict permissions so that only authorized, linked users can receive notifications or interact with the Slack bot.

Expected Results

• Administrators should be able to configure the integration so that only Slack users who have linked their Atlassian accounts can receive notifications and interact with the Jira Slack bot.

• It should be possible to restrict the integration to a one-way notification system, preventing any user (especially unlinked users) from performing Jira actions or accessing sensitive information via Slack.

• More granular permission controls should be available to align with organizational InfoSec policies.

Actual Results

• Slack users who have not linked their Atlassian accounts can still receive channel notifications and see link unfurling. There is no way to restrict notifications or bot interactions solely to linked users. Permission controls are not granular enough to meet strict InfoSec requirements.

The below security concern is observed:

Unlinked Slack users are able to receive Jira issue notifications and view link previews in Slack channels, even when they have not authenticated with Atlassian. This may expose sensitive information and does not comply with certain InfoSec policies. 

Workaround

Currently there is no known workaround for this behavior.