-
Suggestion
-
Resolution: Fixed
-
2
-
-
My request is to be able to mention without requiring to assign the "Browse Users" global permission. JRASERVER-7467 asks to restrict the browse users permission to project users, which would resolve our issue, because then we would be able to assign "Browse Users" global permission to all our customers with no information leakage.
However, JRASERVER-7467 has been parked because it is very difficult to solve. It is difficult to decide exactly which users to show and which users to hide. Therefore, I request to track the mention subproblem separately, because it is much easier to solve: show the users which can browse the issue you are mentioning on - just like JIRA already does.
- is related to
-
- Future Consideration
-
ENT-822 Failed to load
- mentioned in
-
Page Failed to load
-
Page Failed to load
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
[JRASERVER-69026] Ability to @mention user without 'Browse Users' global permission
I perfectly agree with you... But truth is in the code, and Atlassian does not care a lot about "privacy issues" in on-premises editions, my customer' users are able to browse my complete users directory (including many not-related customers but also competitors) already from Confluence "mention" feature in comment (which is not easy to disable)... and users generally complain about "mention" feature not to work in Jira as I have removed "Browse Users" global permission.
These "improvements" are tagged as "monster", probably because it impacts a REST API used in many places inside products... but I consider it may be possible to "filter out" answers according to available requester-to-other-users relationship, like having access to same Jira Project or Confluence Space.
Until now, my employer has not decided to invest in custom patches (I would be able to develop) to mitigate/fix these privacy issues. Probably waiting for a real data leak or political troubles when some of our customers will discover "by chance" competitors in our system...
At that point it doesn't really matter anymore, whether the user can see all other users in the database or not. If a user without "Browse Users" knows who he/she wants to send a comment to, then the privacy issue has been dealt with. Has it not?
Maybe it would make more sense to check if the mentioned user can see the issue or not, before sending an email. That can't be too hard?
I confirm this syntax has only a "visual effect". The notification handler responsible to trigger email also check originating user has "Browse Users" permission... as a result, email is never sent.
[~user.name]
Using this format works to add a user mention in a comment without browse user permission. With mouse over you can even see the user details and profile.
But it doesn't send an email!! Where is the logic in that? Or am I missing something here?
Please make something work here.
We have the same issue with our clients as described in previous comments. Please implement!
This feels like a deal-breaking look-for-a-new-tool problem. Is there any update here? I'm stunned that I can't have this cross-customer privacy in place and am hopping I have just missed something.
Even in 2021 this is a required functionality!
We are working around this by telling our colleagues to let the customer know that he/she can user the following format to create a mention while writing the comment in text mode:
[~user.name]
The downside of this is that because the external user does not have a list of people in the project he/she can only rely on the users acted on the related issue, meaning users who wrote a comment or otherwise interacted with the issue.
Since this is not user-friendly and it disrupts workflow for external users, please consider implementing the ability for users without the browser users global permission to mention project users as suggested above.
This feature is an absolute mandatory feature from our business perspective - surprised it's not already developed. Consider this example:
SCENARIO:
Customer A, gets added to their project and starts logging tickets for our QA review. They try to @ mention someone and get back a list of every single Jira user available across all our customers, contractors and users. This is very unprofessional and in breach of NDA's we have with clients.
Expected Result: The Customer A, should be able to @ mention within their project and ONLY get back the users within that project as available to mention.
The mention feature is powerful and restricting it to ONLY a small subset of users within the system via the "Browse Users" Global Permission is poor decision in our view.
You clearly have not considered all the different types of businesses and customers that use JIRA.
It shouldn't be that much development effort to create a NEW permission, that restricts the @ mention feature to only the subset of users within the Jira project you are currently viewing. The value for such a feature is much higher than the effort in our view.
Please implement!
Thanks
From what I understand, this has been implemented for Data Center only?
What about Cloud?