-
Bug
-
Resolution: Fixed
-
High
-
10.117.0
-
1
-
Severity 2 - Major
-
No
Issue Summary
Epic permission is not being correctly evaluated/respected for Custom Hierarchies
If we remove all the permissions from the Epic, and only leave the view permission for it, we can't save any changes, as the save button is not present, and just when we click on Save the POST call is made to update the details.
Now, on the Custom Hierarchies, it is behaving in a different way, as once we select a value, a POST call is immediately made, saving the changes on it and ignoring the permission for that item.
Steps to Reproduce
- User is mapped to "TestRole".
- Go to Administration > Roles > Select "TestRole"
- Expand Administration -> Other Setup ->Click on Manage next to "Custom Hierarchies"
- Disable Edit option for all the Custom Hierarchies available and enable only view option
- Expand Portfolio > Epics and enable only "Epic Detail Report" option and disable all the other options
- Login to the user mapped to "TestRole"
- Go to Portfolio > Epics and open any Epic from the grid
- Save button is not visible
- Now from custom hierarchy dropdown, we are able to change the Custom hierarchy mapped to the drop-down
Expected Results
If Edit permission is not allowed for Epics, then there should not be any POST call for custom hierachies.
Actual Results
Even for Epic view permission, we are able to change the Custom Hierarchies of an Epic.
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JIRAALIGN-4764] Epic permission is not being correctly evaluated/respected.
Hi team,
Hope you are well. Would you mind sharing with us how was this measured as LOW priority.
In this moment any user from Jira Align, regardless their system role/permission (product owner, scrum master, CPO, Solution owner, initiative owner, etc) have rights to edit Custom hierarchy value from any Work object from the system.
Example: A Product owner by default have permission to edit only stories and feature (Jira epics). However, due to this bug, they are able to edit any custom hierarchy value associated with capabilities or epics (aka initiatives) -> this is wrong and has impact over any planning.
Currently, system roles are redundant when we are discussing about Custom Hierarchy field associated with a work item, which represents a big data breach for any client.
Looking forward for your swift reply.
Thank you,
Filip
Hi team,
Per our discussion, would you mind sharing an ETA for this? If not possible, can you incrementally share the progress during the next few weeks? Thank you!