Uploaded image for project: 'Automation for Jira Server'
  1. Automation for Jira Server
  2. JIRAAUTOSERVER-522

Automation Rule project permission allow user to copy the Authorization header

    • 0
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem

      With the project permission configured in the automation rule, project admin can still access to the System Admin user Authorization header information from the Send web request action:

      But I am a sys-admin and can not deposit one my personal token in a project automation where every project admin can read my token and use it for some obscure operations. This is affects the security of our Jira instance.

      Suggestion

      It would be great if the whole automation rule configuration field was disabled to access or copy from it.

      Another option would be to hide the automation rules without being seen under Project Settings > Project automation > list.

          Form Name

            [JIRAAUTOSERVER-522] Automation Rule project permission allow user to copy the Authorization header

            Marc Dacanay made changes -
            Labels Original: iq-a4j New: iq-a4j ril
            Marc Dacanay made changes -
            Remote Link New: This issue links to "Internal ticket (Web Link)" [ 979184 ]
            Mohsin Shaikh made changes -
            Link New: This issue relates to JSWCLOUD-26819 [ JSWCLOUD-26819 ]
            Michelle Chin made changes -
            UIS New: 0

            In my opinion it is absurd that a solution to this is not yet available. I believe that almost all Security departments will no ifs and buts mouth the implementation of similar automations. Please consider the request quickly and carefully, this way the action related to HTTP requests is almost unusable!

            Cristian Iorio added a comment - In my opinion it is absurd that a solution to this is not yet available. I believe that almost all Security departments will no ifs and buts mouth the implementation of similar automations. Please consider the request quickly and carefully, this way the action related to HTTP requests is almost unusable!
            Rudy Slaiby made changes -
            Labels New: iq-a4j
            Armando Neto made changes -
            Link New: This issue relates to JSWCLOUD-22729 [ JSWCLOUD-22729 ]

            This would be super helpful for me as a Cloud Admin! Great Suggestion!

            Tommy Augustine added a comment - This would be super helpful for me as a Cloud Admin! Great Suggestion!
            John Chin made changes -
            Description Original: h3. Problem

            With the [project permission configured in the automation rule|https://confluence.atlassian.com/automation074/permissions-for-project-automation-1141481144.html], project admin can still access to the System Admin user Authorization header information from the *Send web request* action:
            !image-2022-08-17-16-51-21-528.png|thumbnail!

            But I am a sys-admin and can not deposit one my personal token in a project automation where every project admin can read my token and use it for some obscure operations. This is affects the security of our Jira instance.

            h3. Suggestion

            It would be great if the whole automation rule configuration field was disabled to access or copy from it.

            Another option would be to hide all the automation rules without being seen under {*}Project Settings > Project automation > list{*}.
            New: h3. Problem

            With the [project permission configured in the automation rule|https://confluence.atlassian.com/automation074/permissions-for-project-automation-1141481144.html], project admin can still access to the System Admin user Authorization header information from the *Send web request* action:
            !image-2022-08-17-16-51-21-528.png|thumbnail!

            But I am a sys-admin and can not deposit one my personal token in a project automation where every project admin can read my token and use it for some obscure operations. This is affects the security of our Jira instance.

            h3. Suggestion

            It would be great if the whole automation rule configuration field was disabled to access or copy from it.

            Another option would be to hide the automation rules without being seen under {*}Project Settings > Project automation > list{*}.
            John Chin made changes -
            Description Original: h3. Problem

            With the [project permission configured in the automation rule|https://confluence.atlassian.com/automation074/permissions-for-project-automation-1141481144.html], project admin can still access to the System Admin user Authorization header information from the *Send web request* action:
            !image-2022-08-17-16-51-21-528.png|thumbnail!

            Project admin users can copy or reuse the System Admin authorization header to do some issue operations which breach the security.
            h3. Suggestion

            It would be great if the whole automation rule configuration field was disabled to access or copy from it.

            Another option would be to hide all the automation rules without being seen under {*}Project Settings > Project automation > list{*}.
            New: h3. Problem

            With the [project permission configured in the automation rule|https://confluence.atlassian.com/automation074/permissions-for-project-automation-1141481144.html], project admin can still access to the System Admin user Authorization header information from the *Send web request* action:
            !image-2022-08-17-16-51-21-528.png|thumbnail!

            But I am a sys-admin and can not deposit one my personal token in a project automation where every project admin can read my token and use it for some obscure operations. This is affects the security of our Jira instance.

            h3. Suggestion

            It would be great if the whole automation rule configuration field was disabled to access or copy from it.

            Another option would be to hide all the automation rules without being seen under {*}Project Settings > Project automation > list{*}.

              0291f5616540 Konrad Plasota
              ckimloong John Chin
              Votes:
              28 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated: