-
Suggestion
-
Resolution: Unresolved
-
3
-
Issue Summary
User access admins can assign product admin roles for Confluence, which potentially allows them to escalate their own privileges and gain access to spaces they should not have access to
Steps to Reproduce
- On a site with Jira Software and Confluence, assign the user access admin role to a user for both Jira Software and Confluence.
- Login as the user access admin and go to User Management.
- Invite another user to the site
- Grant the Product admin role for both Jira Software and Confluence.
The Product admin role is allowed to be granted for Confluence but not for Jira
Confluence :
Jira
Suggestion
A user access admin should only be able to manage user access, and not administrator access to the products they are a user access administrator for
Workaround
Do not use the user access administrator role for Confluence, or monitor to ensure any inappropriate use is captured.
[ID-8571] User Access Administrators should only be able to grant User Access
| Support reference count | Original: 2 | New: 3 |
| Support reference count | Original: 1 | New: 2 |
| Labels | Original: guard-s7 | New: guard-s6 guard-s7 |
| Labels | New: guard-s7 |
| Support reference count | Original: 4 | New: 1 |
| Remote Link | New: This issue links to "CES-34851 (Atlassian Support System)" [ 890966 ] |
| Summary | Original: User access admins can assign product admin role for Confluence | New: User Access Administrators should only be able to grant User Access |
| Description |
Original:
h3. Issue Summary
User access admins can't assign product admin role for Jira h3. Steps to Reproduce # On a site with Jira Software and Confluence, assign the user access admin role to a user for both Jira Software and Confluence. # Login as the user access admin and go to User Management. # Invite another user to the site # Grant the *Product admin* role for both Jira Software and Confluence. The Product admin role is allowed to be granted for Confluence but not for Jira (/) Confluence : !Confluence.png|thumbnail! (x) Jira !Jira.png|thumbnail! h3. Suggestion If a user has User Access Admin for all Jira products in a site, they should be able to grant the Product Admin role for Jira to other users. h3. Workaround Request the organization administrator to grant the Product admin role for Jira |
New:
h3. Issue Summary
User access admins can assign product admin roles for Confluence, which potentially allows them to escalate their own privileges and gain access to spaces they should not have access to h3. Steps to Reproduce # On a site with Jira Software and Confluence, assign the user access admin role to a user for both Jira Software and Confluence. # Login as the user access admin and go to User Management. # Invite another user to the site # Grant the *Product admin* role for both Jira Software and Confluence. The Product admin role is allowed to be granted for Confluence but not for Jira (x) Confluence : !Confluence.png|thumbnail! (/) Jira !Jira.png|thumbnail! h3. Suggestion A user access admin should only be able to manage user access, and not administrator access to the products they are a user access administrator for h3. Workaround Do not use the user access administrator role for Confluence, or monitor to ensure any inappropriate use is captured. |
| Reporter | Original: Cosmin-Gabriel Moflic [ d2a75811c3d2 ] | New: Andrew Delaney [ 042cb27a6182 ] |
We rely on this feature to allow site admins to add/remove product admins, so that org admins do not have to micromanage admin access to products under different sites. It works for Compass and Confluence but not for Jira Software & Jira Product Discovery.