Uploaded image for project: 'Jira Align'
  1. Jira Align
  2. JIRAALIGN-5830

Portfolio Room toggle disabled in Role, but user can still access Portfolio Room

XMLWordPrintable

    • 3
    • Severity 3 - Minor
    • No

      Issue Summary

      Portfolio Room toggle is disabled in Role, but the user can still access the Portfolio Room.

       

      This is reproducible on Data Center: (yes) 

      Steps to Reproduce

      1. Step 1. Role > Portfolio > disabled portfolio room toggle.
      2. Step 2. Navigate the Portfolio and able to find portfolio room has disappeared in the sidebar menu, however, the user still can access the Portfolio room and is visible.
      3. Step 2. Enabled portfolio room toggle on and confirmed portfolio room has back again on the sidebar.

      Expected Results

      The user cannot log in/access the portfolio room when the toggle is disabled.

      Actual Results

      The portfolio room has disappeared in the sidebar menu, but the page is still accessible and visible to the user who doesn't have Portfolio Room permission.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

        1. PR toggle off.png
          PR toggle off.png
          201 kB
        2. PR toggleON.png
          PR toggleON.png
          163 kB

            [JIRAALIGN-5830] Portfolio Room toggle disabled in Role, but user can still access Portfolio Room

            Heidi Hendry added a comment -

            I can't attach images. I'll send them to Rachel.

            Heidi Hendry added a comment - I can't attach images. I'll send them to Rachel.

            Heidi Hendry added a comment -

            Hi Kyle, Rachel, Don, 

            Currently in PROD 10.126.3.38171 with new Nav

            if a user is NOT in the Portfolio team, but is in a "child" Agile or Kanban team of that Portfolio, they can navigate to the Portfolio Room and see the Financials.

             

            As this is a public facing website, I have blacked out PII, but the images show that a user with NO Portfolio team membership, then impersonated, can currently see the Financials in the Portfolio Room.

             

            Though this Bug might not be worded that way, that's what this Bug was intended to address.

             

            Heidi Hendry added a comment - Hi Kyle, Rachel, Don,  Currently in PROD 10.126.3.38171 with new Nav if a user is NOT in the Portfolio team, but is in a "child" Agile or Kanban team of that Portfolio, they can navigate to the Portfolio Room and see the Financials.   As this is a public facing website, I have blacked out PII, but the images show that a user with NO Portfolio team membership, then impersonated, can currently see the Financials in the Portfolio Room.   Though this Bug might not be worded that way, that's what this Bug was intended to address.  

            Kyle Foreman added a comment -

            Hi all,

            In Jira Align's new navigation experience, rooms will be on for all users with access to a team at that level (e.g. if users have access to a portfolio/portfolio team, they will have access to the portfolio room). As soon as we're able to the old navigation experience off, role permissions will be updated to reflect this change.

            In the meantime, we'll review our documentation to make sure this is called out clearly. Please let us know if you have any questions.

            -Kyle

            Kyle Foreman added a comment - Hi all, In Jira Align's new navigation experience, rooms will be on for all users with access to a team at that level (e.g. if users have access to a portfolio/portfolio team, they will have access to the portfolio room). As soon as we're able to the old navigation experience off, role permissions will be updated to reflect this change. In the meantime, we'll review our documentation to make sure this is called out clearly. Please let us know if you have any questions. -Kyle

            Heidi Hendry added a comment -

            Hi there, I noticed that you changed the status from "In Progress" to "Long Term Backlog". Please could you explain this decision?

            Thanks

            Heidi Hendry added a comment - Hi there, I noticed that you changed the status from "In Progress" to "Long Term Backlog". Please could you explain this decision? Thanks

            Heidi Hendry added a comment -

            Further to this, we discovered that Integrated User (OOTB System Role) is able to view the Portfolio Room and Financials view due to this bug.

            Heidi Hendry added a comment - Further to this, we discovered that Integrated User (OOTB System Role) is able to view the Portfolio Room and Financials view due to this bug.

            Heidi Hendry added a comment -

            As the Portfolio Room displays the Financials, having this visible to people without the permission is a large business data privacy issue.
            Please could the symptom severity be increased?

            Heidi Hendry added a comment - As the Portfolio Room displays the Financials, having this visible to people without the permission is a large business data privacy issue. Please could the symptom severity be increased?

              dfuller@atlassian.com Don Fuller
              965b37518492 Rachel Kim
              Affected customers:
              8 This affects my team
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: