-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
None
-
Affects Version/s: 9.1
-
Component/s: Configuration
-
Severity 2 - Major
-
3
Issue Summary
From Automation For Jira version 9.1.x onwards we've introduced a security feature: Restrict rule actor impersonators
Starting from Jira automation 9.1, when you create a new rule, you’ll only be able to select yourself as the rule’s actor. This improves your instance’s security by preventing users without required permissions from impersonating other users and creating issues through Jira automation rules.
On the UI Project Admins can still see the Copy button on a Global Rule, but there's no way for a project admin to actually publish the copied rule unless they have the explicit "Impersonate users in A4J project scope" permission.
This is reproducible on Data Center: yes
Steps to Reproduce
- Create a Global A4J rule as a Jira Admin
- Try to copy the Global rule as a Project Admin
Expected Results
A Project admin without the explicit "Impersonate users in A4J project scope" permission should not be able to change the Rule Actor. However, they should still be able to copy a global rule i.e., the rule should default to the Project admin user as the Rule Actor.
Actual Results
It's impossible for the project admin to publish the copied rule with the error "No permission to change the rule actor to other user"
Workaround
Currently, there is no known workaround for this behavior - other than to explicitly allow the Project Admin(s) to be able to change the Rule Actor by adding them to the "Impersonate users in A4J project scope" permission.
- links to
