-
Bug
-
Resolution: Duplicate
-
Medium
-
None
-
8
-
Severity 3 - Minor
-
7
-
Problem
When a user is provisioned and when the users does not have access to the product, the users who does not have access to the product are available under the reporter field of any instance under the enterprise org
Environment
Jira software
.
Steps to Reproduce
Take a user who is provisioned and has no product access.
Go to a Jira project under the instance and try adding the user under the reporter field
The user is available under the reporter field.
Expected Results
Users who does not have access to the product should not be available under the user picker field - Reporter
Actual Results
For a user provisioned through IDP, the users without product access, with site access is available in the same instance for Reporter field.
For a user provisioned through IDP, the users without product access, with site access is available on a different instance for Reporter field.
For a Non-synced IDP user with no site access, is not available on the same instance
For a Non-synced IDP user with site access and no product access is still shown on the same instance under the reporter field.
For a Non-synced IDP user with site access and no product access is still shown on the different instance under the reporter field.
Basically any user can be selected from the reporter field
Workaround
Notes
You can pick anyone from any site. This is very concerning as customer work with very sensitive content on other sites. This is a very big security issue for the customer and also problematic from a personal data management as everyone is visible to all really.
Customer is concerned that everyone with access to one of our Jira product can see everyone with access to any other products or sites within our Atlassian Enterprise Cloud.
When customers are working with a lot of external parties each dedicated on very specific projects on different sites and currently they can see other 3rd parties working with us while it shouldn’t be the case at all.
Even though the data is contained to who can see it, the personal information of our vendors is compromised by this list of users in the user picker fields.
- is related to
-
JRACLOUD-81318 Hide or filter out portal only users (JSM Customers) who don't have Jira application access to appear on assignee, reporters, project lead and project roles list
- Gathering Interest
- relates to
-
- Gathering Interest
- blocks
-
ACE-3992 You do not have permission to view this issue
- mentioned in
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JRACLOUD-80908] Users who does not have access to the product is available under user picker fields like reporter, watcher
Hello,
Actually, I'm looking into this "issue" to use it 
How can I bring all provisioned users to be available to select on the reporter field?
I find this useful where non-Jira users are reporting something and I want to add them as reporters on the issues I'm creating for them, in order to be able to track down from where the request was initiated.
CPUS and Perms confirmed that our permissions are up to date so it's likely either:
Jira is sending the wrong query to CPUS when a user searches in the picker field
Jira is processing the response/has a bug in the logic on their side
If it has been confirmed to not be an issue in CPUS, can we please update the component to Jira?
After some analysis, we've found that this ticket is a duplicate of the request ID-8128 – Limit User Picker to members of certain groups/roles in System Fields in Jira Software and Jira Work Management and JIRA Service Management which has more votes.
We encourage you to watch and vote on the above instead. All internal ticket references on this ticket have been transferred. If you do not think this issue should have been closed, please add a comment here saying why and we can reopen it.