Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-11884

Security Violation: Manage Project Role Membership needs a Global Permission



    • 3
    • 13
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.


      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      After implementering Project Roles in JIRA 3.7 you have unfortunately introduced a major security violation.

      In earlier versions of JIRA the Administer Projects permission granted a user the right to edit a project, manage components and manage versions. In 3.7 this permission also grants the user the right to Manage Project Role Membership.

      I know this is part of the idea behind introducing Project Roles. But it must be possible to exclude users from this right even though they have the Administer Projects Permission. This could be done by introducing a Global Permission: "Manage Project Role Membership".

      In our JIRA installation we have 12 JIRA administrators. The are the only ones that are allowed to manage users and groups. We have a lot of Project Leads that are allowed to Administer Projects. They need to be able to manage components, versions and so on. We even have some customers that are granted the Administer Projects permission because they run their own JIRA projects.

      The problem that has been introduced is not so much, that a user with the Administer Projects permission can add a single user to a Project Role. I could live with that. The problem is, that they can also add a group. This means that a user by accident can add a wrong user to a project by giving them indirect access (via the group) without knowing it. The users with Administer Projects permissions have no way of knowing which users are in a given group. Only administrators can see this from the Group Browser.

      Another is that the users can see the "Assign Groups to Project Role". Now the users can see all the groups in JIRA, not only the groups they are a member of. Users without the Global "Browse Users" permission (which also controls the ability to browse groups) should not be able to do this. In our JIRA installation groups represents customers. This means that some of our customers now can see the names of some of our other customers... not good...

      I urge you to fix this in a 3.7.x version a soon as possible.



      Edit: 2017-02-01

      Slightly formalised summary

      As Jira administrator I want to segregate two Permission: Administer projects (current Permission) and edit Roles (new Permission)

      • Project lead/administrator will not have ability to modify the roles (delegate permissions) but can manage their project for remaining admin functions


        Issue Links



              Unassigned Unassigned
              bbee05535340 LarsL
              46 Vote for this issue
              36 Start watching this issue