Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-11884

Security Violation: Manage Project Role Membership needs a Global Permission

    XMLWordPrintable

    Details

    • UIS:
      33
    • Support reference count:
      12
    • Feedback Policy:
      We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      After implementering Project Roles in JIRA 3.7 you have unfortunately introduced a major security violation.

      In earlier versions of JIRA the Administer Projects permission granted a user the right to edit a project, manage components and manage versions. In 3.7 this permission also grants the user the right to Manage Project Role Membership.

      I know this is part of the idea behind introducing Project Roles. But it must be possible to exclude users from this right even though they have the Administer Projects Permission. This could be done by introducing a Global Permission: "Manage Project Role Membership".

      In our JIRA installation we have 12 JIRA administrators. The are the only ones that are allowed to manage users and groups. We have a lot of Project Leads that are allowed to Administer Projects. They need to be able to manage components, versions and so on. We even have some customers that are granted the Administer Projects permission because they run their own JIRA projects.

      The problem that has been introduced is not so much, that a user with the Administer Projects permission can add a single user to a Project Role. I could live with that. The problem is, that they can also add a group. This means that a user by accident can add a wrong user to a project by giving them indirect access (via the group) without knowing it. The users with Administer Projects permissions have no way of knowing which users are in a given group. Only administrators can see this from the Group Browser.

      Another is that the users can see the "Assign Groups to Project Role". Now the users can see all the groups in JIRA, not only the groups they are a member of. Users without the Global "Browse Users" permission (which also controls the ability to browse groups) should not be able to do this. In our JIRA installation groups represents customers. This means that some of our customers now can see the names of some of our other customers... not good...

      I urge you to fix this in a 3.7.x version a soon as possible.

      Thanks.

      Regards,
      Lars

      Edit: 2017-02-01

      Slightly formalised summary

      As Jira administrator I want to segregate two Permission: Administer projects (current Permission) and edit Roles (new Permission)

      • Project lead/administrator will not have ability to modify the roles (delegate permissions) but can manage their project for remaining admin functions

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              lagoni LarsL
              Votes:
              53 Vote for this issue
              Watchers:
              46 Start watching this issue

                Dates

                Created:
                Updated: