Uploaded image for project: 'Jira Align'
  1. Jira Align
  2. JIRAALIGN-927

[JIRAALIGN-927 ] NDA Impersonation does not limit access to just the common portfolios

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Medium
    • 10.69
    • 10.58, 10.59
    • people
    • None
    • 3
    • Severity 2 - Major
    • Batman! - RHP9

    Description

      Issue Summary

      We recently implemented an NDA feature with impersonation in Jira Align, where if two users are not in the same portfolio, one user cannot impersonate the other.

      However, there is still a lingering issue with the implementation.

      What concerns customers is a situation where two users have access to a common Portfolio. A user can impersonate another user and see all their Portfolios, not just the Portfolios that they have in common! The feedback from customers that have encountered this is that this is a violation of the whole NDA capability.

      In testing this:

      1. Users cannot impersonate a person who only has Portfolio access that they DO NOT have, which is good.

      2. However, when they have access to a common Portfolio, then the user can Impersonate them, and see all of that impersonated user's Portfolios, not just the Portfolios they have access to.

      The request is that the NDA impersonation feature be fixed so that impersonation restricts access only to the data that the two users have common access to.

      Steps to Reproduce

      1. In Jira Align, impersonate a user that has access to the same portfolio as you.

      Expected Results

      Per PM review: users belonging to any type of team related to Private Portfolio cannot be impersonated. (exception is Super Admin - user can impersonate any user).

      Actual Results

      The user doing the impersonating has access to all the data that the impersonated user has access to. This includes data that the impersonating user does not have access to, otherwise.

      Workaround

      Option 1 - Disable Impersonation for certain roles or all roles.

      The product includes the ability to disable Impersonation. This is done on a per-role basis.

      As a Super Admin, Click the Administration icon on Jira Align. On the Administration page, select Roles. Select a role from the drop down menu.

      For each role in Jira Align, click the plus sign beside "Administration". Scroll down until you see "Impersonate", then set the toggle to disabled. Save the changes.

      From that point forward, the role(s) will no longer be able to impersonate other users.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. JIRAALIGN-1115 [JIRAALIGN-1115] Bug: Private Portfolios can be accessed via impersonation

          • High - High priority issues
          • Closed
          is related to

          ALIGNSP-339 Loading...

          mentioned in

          Page Loading...

          Page Loading...

          Activity

            People

              idziadyk@atlassian.com Iryna Dziadyk (Inactive)
              kbaxley Kent Baxley
              Votes:
              2 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Backbone Issue Sync