Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-69400

Jira Permission schemes should not allow you to attempt to configure nonsensical permission states

    XMLWordPrintable

Details

    • 3
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      NOTE: This suggestion is for Jira Server. Using Jira Cloud? See the corresponding suggestion.

      Problem Definition

      Several past cases have been reported of Jira admins trying to use a user custom field value or a group custom field value to set a project permissions such as 'Create Issue' or 'Browse Project'. The intention of the admin here is to only allow the possible users in that custom field options to have that specific permission. This does not work though for these specific permissions, because in order to evaluate these permissions the issue has to already be created in Jira. These custom fields would have to have a value set within them on an issue already created. The potential values of that field are not valid as a means to impose a permission grant on those specific permission options. In the case of creating issues, it can't possibly work because the issue is not created yet.

      Suggested Solution

      Change the way permission schemes work and edit the screens there in to prevent admins trying to set permissions that can never possibly be valid within Jira:

      1. This could be done by specifically removing 'user custom field value' and 'group custom field value' from the objects that cannot possibly honor their hypothetical values yet. We know this includes at least create issue and browse project, but there could be others in play here as well.
      2. Another solution could be to change the current behavior of the browse project permission when granted to the 'user custom field' and 'group custom field' when these 2 fields are not set to any value. In this case, instead of allowing any user to view the issue, no one should be able to view the issue until these fields are set.

      Why this is important

      Lots of admins in Jira have attempted to configure this because Jira allows it, But can't possibly honor it. It causes high levels of frustration and angry users to have Jira let you do something that it has no expectation of being able to do.
      https://jira.atlassian.com/browse/JRASERVER-26659
      https://jira.atlassian.com/browse/JRASERVER-30783
      https://jira.atlassian.com/browse/JRACLOUD-66317
      https://jira.atlassian.com/browse/JRASERVER-21613
      https://jira.atlassian.com/browse/JRACLOUD-30783
      https://community.atlassian.com/t5/Jira-Software-questions/JIRA-Bug-with-Group-Custom-Field-Permission-Settings/qaq-p/734856

      Workaround

      none

      Attachments

        Issue Links

          derived from

          Suggestion - JRASERVER-30783 Unexpected behaviour in Create Issue Permission with User custom field

          • Closed
          was cloned as

          Suggestion - JRACLOUD-72153 Jira Permission schemes should not allow you to attempt to configure nonsensical permission states

          • Closed

          Activity

            People

              Unassigned Unassigned
              aheinzer Andy Heinzer
              Votes:
              17 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated: