Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-18076

Warn about assigning "Anyone" group in Global and Project permissions

    XMLWordPrintable

Details

    • 1

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      Assigning anyone to global permissions such as a "Browse user" is a sure way to shoot yourself in the foot inadvertently.

      We make a vague mention of it in the documentation

      • if you wish to grant the permission to non logged-in users, select 'Anyone' (not recommended for production systems). Note that the 'JIRA Users' permission (i.e. permission to log in) cannot be granted to 'Anyone' (i.e. to non logged-in users) since this would be contradictory.

      A worse impact can happen if 'Browse Project' (in Project Permissions page) is misconfigured for 'Anyone'. This may allow public search engine crawlers to index JIRA issues.

      We should add an explicit warning on the Global Permissions and Project Permissions page.

      Alternatively we could update the wording description like was done in JRA-29503. That is, we could change "Anyone" to "Public" (or "Anonymous and JIRA users").

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. JRACLOUD-63994 The rest documentation around certain user resources is incorrect with respect to anonymous access and the "Browser User" permission

          • Low - Low priority issues
          • Closed

          Suggestion - JRACLOUD-39912 Add global option "Enable group <anyone>"

          • Closed

          Suggestion - JRASERVER-18076 Warn about assigning "Anyone" group in Global and Project permissions

          • Closed
          relates to

          Suggestion - JRACLOUD-23255 Shared filters are visible to anonymous users when shared with 'Everyone'

          • Closed

          Suggestion - JRACLOUD-67931 Change the anyone permission name to anonymous access

          • Closed

          DONUT-3256 Loading...

          mentioned in

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              andrew.myers Andrew Myers [Atlassian]
              Votes:
              53 Vote for this issue
              Watchers:
              49 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: