-
Suggestion
-
Resolution: Fixed
-
JIRA 4.2 standalone running on the Tomcat server.
NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.
Hi everyone,
We have an update for this issue. Fundamentally, the situation as reported on this suggestion is intended functionality. Sharing a filter or dashboard with "Everyone" is intended as a way to allow users who may not have accounts in your JIRA instance the ability to see certain dashboards or filters, assuming they contain issue data that has also been shared with anonymous users. There are a number of use cases for this and we know that many customers are using JIRA this way today.
That said, we are also very aware that the wording "Everyone" can cause significant confusion, where users do not realize the "Everyone" option means that the dashboard or filter will be visible to unauthenticated users. In certain situations, this can become a security concern. Therefore, we have recently introduced some changes in to mitigate this issue.
New global setting
JIRA administrators can now disable the ability to share dashboards and filters publicly via a new global setting "Public sharing". This setting is available from JIRA Admin > System > General Configuration > Edit Settings. Please note that this will not affect existing filters and dashboards. If you change this setting, you will still need to update existing filters and dashboards if they have already been shared with "Everyone."
"Everyone" is now "Public"
In order to more clearly emphasize the outcome of sharing a dashboard or filter will allow unauthenticated users to see it, we have renamed the "Everyone" setting to "Public" and updated the wording in the UI to be more explicity.
New "All logged-in users" option
We know the intent of many users who selected the "Everyone" option previously was to share the filter with everyone in their organization. We've added a new option "All logged-in users" that is a more understandable way to share a dashboard or filter with all users who have a JIRA account.
Sharing options have been reordered
In order to reduce the likelihood that a user would accidentally choose the "Everyone"/"Public" option without understanding the consequences, we have reordered the sharing options so that "Groups" are the first sharing option in the dropdown menu.
These changes were released to JIRA Cloud in August 2016 and in JIRA Server 7.2.2 to address the concerns laid out in this issue; therefore, we are going to mark it as resolved.
Thanks for your patience.
Dave Meyer
Senior Product Manager, JIRA
We received complaints from one of our (external) customers saying that his name was found on the Internet via googling for his name. The hit was found via a JIRA-link on our internal JIRA-system.
When investigating, we found that it was caused by the fact that he had shared filters with restriction "Anyone".
This is not a logical behaviour from JIRA: we don't allow anonymous access to our JIRA, so we assume that nothing is exposed to the Internet. People may for example put information in the title of the filter that should not be exposed to others. As an administrator we don't have the possibility to block this. We can't even change the filters created by others.
The best solution in my opinion, is to modify the "Global Permission":
- Either create a new global permission called e.g. "Browse Filters" that an Administrator can use to block all filters.
- Or use the JIRA-Users permissions to block such Filters.
This issue is related to JRA-22207JRA-17221
Workaround
- has a derivative of
-
- Closed
- is duplicated by
-
JRACLOUD-34035 Anonymous users can access popular filters w/out permission
-
- Closed
-
- is related to
-
-
- Closed
-
-
-
- Closed
-
-
- Closed
-
- Closed
-
- Closed
-
- Closed
-
- Closed
- relates to
-
-
- Closed
-
-
- Closed
-
- Gathering Interest