Uploaded image for project: 'Identity'
  1. Identity
  2. ID-8571

User Access Administrators should only be able to grant User Access

XMLWordPrintable

    • 1

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Issue Summary

      User access admins can assign product admin roles for Confluence, which potentially allows them to escalate their own privileges and gain access to spaces they should not have access to

      Steps to Reproduce

      1. On a site with Jira Software and Confluence, assign the user access admin role to a user for both Jira Software and Confluence. 
      2. Login as the user access admin and go to User Management. 
      3. Invite another user to the site 
      4. Grant the Product admin role for both Jira Software and Confluence. 

      The Product admin role is allowed to be granted for Confluence but not for Jira

      Confluence :

       Jira

       

       

      Suggestion

      A user access admin should only be able to manage user access, and not administrator access to the products they are a user access administrator for

      Workaround

      Do not use the user access administrator role for Confluence, or monitor to ensure any inappropriate use is captured.

        1. Confluence.png
          Confluence.png
          200 kB
        2. image-2023-11-28-12-27-56-689.png
          image-2023-11-28-12-27-56-689.png
          26 kB
        3. image-2023-12-11-13-46-02-910.png
          image-2023-12-11-13-46-02-910.png
          200 kB
        4. Jira.png
          Jira.png
          185 kB

              Unassigned Unassigned
              042cb27a6182 Andrew Delaney
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: