Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-18076

Warn about assigning "Anyone" group in Global and Project permissions

    • 11
    • 50
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Assigning anyone to global permissions such as a "Browse user" is a sure way to shoot yourself in the foot inadvertently.

      We make a vague mention of it in the documentation

      • if you wish to grant the permission to non logged-in users, select 'Anyone' (not recommended for production systems). Note that the 'JIRA Users' permission (i.e. permission to log in) cannot be granted to 'Anyone' (i.e. to non logged-in users) since this would be contradictory.

      A worse impact can happen if 'Browse Project' (in Project Permissions page) is misconfigured for 'Anyone'. This may allow public search engine crawlers to index JIRA issues.

      We should add an explicit warning on the Global Permissions and Project Permissions page.

      Alternatively we could update the wording description like was done in JRA-29503. That is, we could change "Anyone" to "Public" (or "Anonymous and JIRA users").

            [JRASERVER-18076] Warn about assigning "Anyone" group in Global and Project permissions

            Hello there!

            I'm happy to announce that we prioritised this issue and we share security concerns mentioned here.

            Since Jira 8.4.x a few things change:

            • "Anyone" and "Public" group is called "Anyone on the web".
            • On Global permissions page there's an additional warning when "Browse Users" permission is selected for "Anyone on the web".
            • Such warning is also present on Project permissions page when "Browse Projects" permission is selected for "Anyone on the web" group.
            • The warning is also displayed when configuring a filter and "Anyone on the web" option is selected (there was a warning before but we made it more explicit and consistent with new warnings described above).
            • On Global permissions page we changed the default option for a group, which was "Anyone", to a placeholder "Please select a group" so that it requires the explicit action to select "Anyone on the web" group.

             

            Thank you for your comments and feedback!

             

            Best regards,
            Maciej Rzymski
            Jira Server Team

            Maciej Rzymski added a comment - Hello there! I'm happy to announce that we prioritised this issue and we share security concerns mentioned here. Since Jira 8.4.x a few things change: "Anyone" and "Public" group is called "Anyone on the web". On Global permissions page there's an additional warning when "Browse Users" permission is selected for "Anyone on the web". Such warning is also present on Project permissions page when "Browse Projects" permission is selected for "Anyone on the web" group. The warning is also displayed when configuring a filter and "Anyone on the web" option is selected (there was a warning before but we made it more explicit and consistent with new warnings described above). On Global permissions page we changed the default option for a group, which was "Anyone", to a placeholder "Please select a group" so that it requires the explicit action to select "Anyone on the web" group.   Thank you for your comments and feedback!   Best regards, Maciej Rzymski Jira Server Team

            I would like a System Administrator level option to disable the "Anyone" group as well (the specific suggestion for that was closed as a duplicate of this issue).

            I also approve of warnings and a clarity rename so that if the Sys Admins choose not to disable the Anyone group there will be fewer accidents.

            Simon Peters (L) added a comment - I would like a System Administrator level option to disable the "Anyone" group as well (the specific suggestion for that was closed as a duplicate of this issue). I also approve of warnings and a clarity rename so that if the Sys Admins choose not to disable the Anyone group there will be fewer accidents.

            S Stack added a comment -

             Does this Security Vulnerability affect your Jira instance?

            Your instance may be exposing confidential data due to this problem. Atlassian, is this not important?

             

             

            S Stack added a comment -  Does this Security Vulnerability affect your Jira instance? Your instance may be exposing confidential data due to this problem. Atlassian, is this not important?    

            Setting 'Browse Project' to "Anyone" overcame a significant issue with the performance in systems with complex User management - e.g. multiple AD connections or complex LDAP membership structure. 

            As it functions, "Anyone" does mean 'fully accessible to public' as noted above so maybe a rename would make more sense.

            The performance issue remains, however, so there should be a way to state that a particular project is visible to "Any Logged In User" without running the authentication checks.

            A

            Andrew Stickland added a comment - Setting 'Browse Project' to "Anyone" overcame a significant issue with the performance in systems with complex User management - e.g. multiple AD connections or complex LDAP membership structure.  As it functions, "Anyone" does mean 'fully accessible to public' as noted above so maybe a rename would make more sense. The performance issue remains, however, so there should be a way to state that a particular project is visible to "Any Logged In User" without running the authentication checks. A

            I would much rather have the ability to disable the anyone group. If a user shares a filter with anyone that info starts leaking out of my Jira instance. 

            AJ Schmalenberger added a comment - I would much rather have the ability to disable the anyone group. If a user shares a filter with anyone that info starts leaking out of my Jira instance. 

            Cian Leahy added a comment -

            Agreed with the above - this is totally ambiguous and easily misconfigured. I find it frankly bizarre that this is open for 7 years. A simple warning message would suffice which would be minimal dev time I would suspect.

            Cian Leahy added a comment - Agreed with the above - this is totally ambiguous and easily misconfigured. I find it frankly bizarre that this is open for 7 years. A simple warning message would suffice which would be minimal dev time I would suspect.

            MichaelL added a comment -

            Once the administrator enables "Private" mode in JIRA, the application should disallow any kind of access to an unauthenticated user, even if certain items have been granted Everyone or Anyone permissions. To not do this is to ignore the Private Mode setting.

            For an installation configured in Private Mode, allowing the public be able to do searches from the Login screen (or via URL) and get any kind of search result is a glaring security flaw, plain and simple.

            MichaelL added a comment - Once the administrator enables "Private" mode in JIRA, the application should disallow any kind of access to an unauthenticated user, even if certain items have been granted Everyone or Anyone permissions. To not do this is to ignore the Private Mode setting. For an installation configured in Private Mode, allowing the public be able to do searches from the Login screen (or via URL) and get any kind of search result is a glaring security flaw, plain and simple.

            RémiS added a comment -

            I suggested a new option to Enable/Disable group anyone: JRA-39912
            I think that if it is disabled by default as suggested, the risks mentioned here would be mitigated. If you think so, please add your vote!

            RémiS added a comment - I suggested a new option to Enable/Disable group anyone : JRA-39912 I think that if it is disabled by default as suggested, the risks mentioned here would be mitigated. If you think so, please add your vote!

            RémiS added a comment -

            I second renaming the group to "Public".
            Still, I think a warning is absolutely necessary. I just found an instance where an admin gave edit permission to "anyone", probably thinking it meant anyone in the project...

            RémiS added a comment - I second renaming the group to "Public". Still, I think a warning is absolutely necessary. I just found an instance where an admin gave edit permission to "anyone", probably thinking it meant anyone in the project...

            MattS added a comment -

            Tricky. The problem is that "Anyone" doesn't have an obvious connection to authentication for many people.

            MattS added a comment - Tricky. The problem is that "Anyone" doesn't have an obvious connection to authentication for many people.

              mrzymski Maciej Rzymski
              andrew.myers Andrew Myers [Atlassian]
              Votes:
              76 Vote for this issue
              Watchers:
              55 Start watching this issue

                Created:
                Updated:
                Resolved: