Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-73165

Add the ability to send Jira notifications to users who do not have application access

    XMLWordPrintable

Details

    • 36
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Context

      In Jira Server/Data Center up to 8.18.x, Jira users used to be able to receive Jira notifications without being granted Application access.

      From Jira server/Data Center 8.19.0, Jira users now need to have Application access (and corresponding license) to receive a Jira notification (batched and non-batched).
      Details regarding this: the old behavior was detected as a security vulnerability, as any user who has been revoked Jira access should also not receive notifications, since these notifications could include confidential information. See JRASERVER-72737 for more context.

      Issue

      In the past, it was possible to take advantage of the old behavior and send notifications to users without application access ("non-login users"). For example, these "non-login users" were associated with a mailbox shared by a team.

      Since Jira 8.19.0, this configuration is no longer possible.

      Suggestions

      As a Jira Administrator, I would like to create user accounts used only for corresponding notifications and not able to login to Jira. I.e. "Notification only" accounts.
      Preferably those accounts should not consume Jira license.

      Workaround

      Grant access in Jira to those accounts.

      Atlassian Update – 11 Feb 2022

      Since Jira 8.20.6 it will be possible to revert new behaviour introduced by JRASERVER-72737 with Dark Feature Flag:

      com.atlassian.jira.send.email.notifications.to.user.without.application.access.enabled 

      At the same time all future 8.13.x version starting 8.13.19 will have option to enable new behaviour with feature flag:

      com.atlassian.jira.send.email.notifications.to.user.without.application.access.disabled   

      Cheers,
      Jira DC Bugfix Team

       

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              jrey Julien Rey
              Votes:
              44 Vote for this issue
              Watchers:
              41 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: