-
Bug
-
Resolution: Fixed
-
Medium
-
9.0.0, 9.1, 9.2.0, 10.0.0, 10.2.1, 10.1.1
-
Severity 2 - Major
-
0
Version info
Automation for Jira versions that have the manage Secret Key feature - starting from Automation for Jira 9.0.0 and above (Reference: Automation Release notes).
Description
Issue Summary
In Automation documentation, secret keys are created with the context of being tied to one or more projects https://confluence.atlassian.com/automation0902/create-and-edit-masked-secret-keys-for-automation-rules-1431247502.html.
DB tables wise, the table AO_589059_SECRET_PROJ_ASSOC associates secret keys with projects on the DB level.
Permission checks wise, and following the flowchart in https://support.atlassian.com/automation/kb/guide-explaining-how-automation-administration-permissions-work/, managing secret keys would go through the first check of Is projectId present? and be able to check whether a secret has a projectId associated via the table AO_589059_SECRET_PROJ_ASSOC. The understanding here is that since secret keys have a projectId, they don't need the Allow project administrators to manage project rules automation global permission to be able to at least view the list for projects they can administer.
Project admins(that do not have the Allow project administrators to manage project rules automation global permission) cannot view secret keys.
In addition to this, the same type of user also cannot view rule actions that make use of secrets (example: Send Slack message and Send Microsoft Teams message). These users get a blank page, getting HTTP 403 error on the REST API request to GET secret details (/rest/cb-automation/latest/secrets/).
Steps to Reproduce
Create a secret key and use it in an automation rule action
- Log in as a Global Jira Admin user
- Go to Jira Administration ⚙ > System > Automation rules > ... > Global configuration
- Tick the option Allow project administrators to manage project rules
- Log in as a Project Admin user
- Go to Project Settings > Automation
- Create a new Secret Key (via ... > Manage secret keys)
- Create a new automation rule with manual trigger (trigger doesn't matter, this is for testing only)
- Add an action using a Secret Key (example: add either a Send MSTeams Message or Send Slack message), and assign the Secret Key that was created
Remove the Allow project administrators to manage project rules automation global permission
- Log back in as a Global Jira Admin
- Go to ⚙ > System > Automation rules > ... > Global configuration
- Un-Tick the option Allow project administrators to manage project rules
- Log back in as a Project Admin user
- Go to Project Settings > Automation
- Go to the Secret keys page via ... > Manage secret keys
- Open the Automation rule configured earlier to use a Secret Key
- Click on the action that is using the Secret Key (the Send MS Message or Send Slack message action)
Expected Results
Project admin user should be able to view but not manage the secret key, as well as automation rule actions that make use of a secret key.
Instead of an error message saying "Something went wrong", A4J should show a warning message saying the user doesn't have permission to manage Secret Keys.
Actual Results
Project admin gets the error below when accessing Manage Secret Keys page:
Something went wrong during the last request, please try again later
Project admin gets a blank page when clicking on an automation rule action that uses a secret key. The corresponding REST API for retrieving secret keys end up with an HTTP 403.
Workaround
Assign project admins to groups that have the Allow project administrators to manage project rules automation global permission.
However, there are large customers with security requirements that do not allow this workaround.
- is related to
-
-
- Closed
-
- links to
