Issue Summary
We recently implemented an NDA feature with impersonation in Jira Align, where if two users are not in the same portfolio, one user cannot impersonate the other.
However, there is still a lingering issue with the implementation.
What concerns customers is a situation where two users have access to a common Portfolio. A user can impersonate another user and see all their Portfolios, not just the Portfolios that they have in common! The feedback from customers that have encountered this is that this is a violation of the whole NDA capability.
In testing this:
1. Users cannot impersonate a person who only has Portfolio access that they DO NOT have, which is good.
2. However, when they have access to a common Portfolio, then the user can Impersonate them, and see all of that impersonated user's Portfolios, not just the Portfolios they have access to.
The request is that the NDA impersonation feature be fixed so that impersonation restricts access only to the data that the two users have common access to.
Steps to Reproduce
- In Jira Align, impersonate a user that has access to the same portfolio as you.
Expected Results
Per PM review: users belonging to any type of team related to Private Portfolio cannot be impersonated. (exception is Super Admin - user can impersonate any user).
Actual Results
The user doing the impersonating has access to all the data that the impersonated user has access to. This includes data that the impersonating user does not have access to, otherwise.
Workaround
Option 1 - Disable Impersonation for certain roles or all roles.
The product includes the ability to disable Impersonation. This is done on a per-role basis.
As a Super Admin, Click the Administration icon on Jira Align. On the Administration page, select Roles. Select a role from the drop down menu.
For each role in Jira Align, click the plus sign beside "Administration". Scroll down until you see "Impersonate", then set the toggle to disabled. Save the changes.
From that point forward, the role(s) will no longer be able to impersonate other users.
- relates to
-
JIRAALIGN-1115 [JIRAALIGN-1115] Bug: Private Portfolios can be accessed via impersonation
- Closed
- is related to
-
ALIGNSP-339 Loading...