-
Type:
Suggestion
-
Resolution: Unresolved
-
Component/s: Permissions - Work Items and Space Authorisation
-
36
-
97
NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.
Hi everyone,
We have reviewed the status of this issue and there are not currently plans to fix this bug in Jira Cloud. Extensive analysis over the last couple years has indicated that the complexity of addressing this bug without causing performance degradation for customers using permission schemes with user custom field grants is significant. Based on the number of customers that have actually been affected, we cannot justify the effort required to address it at this time.
Thanks for your understanding.
Regards,
Dave Meyer
Senior Product Manager, Jira Cloud
Summary
- This bug is related to closed bug ticket https://jira.atlassian.com/browse/JRA-8950
- When the Current Assignee is given the Browse Project Permission, other users are able to view this Project.
- They can't necessarily view issues or create issues, but they can see the project from the View All Projects page.
- They are also able to see the project name at the project filter on the Issue Search navigator but no issues will be displayed. Only the name of the filter at Projects. When trying to search issues from restricted projects it will show "No issues were found to match your search" which is good.
Steps to Reproduce
1. ensure to have a jira instance with several projects e.g 'Project A' and 'Project B' - Done
2. ensure to have at least two different permission schemes e.g. 'Permission Scheme A' and 'Permission Scheme B' - Done
3. ensure to that e.g. 'Project A' uses the 'Permission Scheme A' and 'Project B' uses the 'Permission Scheme B' - Done
s1.png
4. ensure that the 'Browse Project' permission is restricted to the appropriate project roles in each permission scheme e.g. to the project role 'Tester' -Done
5. ensure that 'Permission Scheme B' (for 'Project B') has the 'Browse Project' permission given to 'Current assignee'
s2.png
s3.png
6. ensure that e.g. 'User A' is assigned as 'Tester' to 'Project A' only, while 'User B' is assigned as 'Tester' to 'Project B' - Done
s5.png
s6.png
Expected Results:
User A is not supposed to be able to see Project B at all.
Actual Results:
User A is able to see Project B at various places :
1. View All Projects
s7.png
2. Issue Navigator
s8.png
Workaround
- Remove Current Assignee on Browse Projects Permission
- Use the Issue Level Security instead which helps achieve almost the same thing
Workaround to restrict issue view to 'Current Assignee' and Browse Project to only a specific group of users:
If a Project is only relevant to one or several groups
- Add the related groups to the Role(Users) or Role(Developers) and remove unrelated groups that shouldn't see the project.
- Set Browse permissions for the Roles. (Remove 'Current Assignee' from Browse Project permission)
- Use Issue level security to restrict viewing to 'Current Assignee'
Result: only groups and users in the Roles within Browse Project permission see the project and Browse only issues Assigned to them.
Step by step instructions to set Security Level at How to limit user to only browse issues assigned to or reported by them
Knowledge Base : Granting Browse Project permission to 'Current Assignee', 'Reporter' or 'User Custom Field Value' allows all users to view Project information
- causes
-
- Closed
- depended on by
-
JRACLOUD-74768 Grant "Administer Project" permission to "User custom field value (XXXX)" makes project setting/archive/trash options visible to all users
-
- Closed
-
- duplicates
-
-
- Closed
-
- is cloned from
-
-
- Closed
-
- is related to
-
-
- Closed
-
-
-
- Closed
-
-
- Closed
-
JST-453847 Loading...
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
-
- mentioned in
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-