Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-74956

Allow admin to disable "Anyone" group in Global and Project permissions

XMLWordPrintable

    • 0
    • 1
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Jira global admin should be able to disable the option "Anyone on the web" as Permission or as sharing option for filters. Currently there is no way to disable this option in the Groups, when configuring a Permission. Consequently project administrators may be setting this permission and allowing unauthorised access inadvertently. 

       

            [JRASERVER-74956] Allow admin to disable "Anyone" group in Global and Project permissions

            SET Analytics Bot made changes -
            UIS Original: 1 New: 0
            SET Analytics Bot made changes -
            UIS Original: 0 New: 1
            SET Analytics Bot made changes -
            UIS Original: 1 New: 0
            SET Analytics Bot made changes -
            UIS Original: 0 New: 1
            SET Analytics Bot made changes -
            UIS Original: 1 New: 0
            SET Analytics Bot made changes -
            UIS Original: 0 New: 1
            SET Analytics Bot made changes -
            UIS Original: 1 New: 0
            Eduard M made changes -
            Description Original: {panel:bgColor=#e7f4fa}
            *NOTE:* This suggestion is for {*}JIRA Server{*}. Using {*}JIRA Cloud{*}? [See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-18076].
            {panel}
            Jira global admin should be able to disable the option "Anyone on the web" as Permission or as share option. Currently there is no way to disable this option in the Groups, when configuring a Permission. Consequently project administrators may be setting this permission and allowing unauthorised access inadvertently. 

                          		New: {panel:bgColor=#e7f4fa}
            *NOTE:* This suggestion is for {*}JIRA Server{*}. Using {*}JIRA Cloud{*}? [See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-18076].
            {panel}
            Jira global admin should be able to disable the option "Anyone on the web" as Permission or as sharing option for filters. Currently there is no way to disable this option in the Groups, when configuring a Permission. Consequently project administrators may be setting this permission and allowing unauthorised access inadvertently. 

             
            Eduard M made changes -
            Description Original: {panel:bgColor=#e7f4fa}
            *NOTE:* This suggestion is for {*}JIRA Server{*}. Using {*}JIRA Cloud{*}? [See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-18076].
            {panel}
            Jira admin should be able to disable the option "Anyone on the web" as Permission or as share option. Currently there is no way to disable this option in the Groups, when configuring a Permission.             		New: {panel:bgColor=#e7f4fa}
            *NOTE:* This suggestion is for {*}JIRA Server{*}. Using {*}JIRA Cloud{*}? [See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-18076].
            {panel}
            Jira global admin should be able to disable the option "Anyone on the web" as Permission or as share option. Currently there is no way to disable this option in the Groups, when configuring a Permission. Consequently project administrators may be setting this permission and allowing unauthorised access inadvertently. 

             
            Eduard M made changes -
            Description Original: {panel:bgColor=#e7f4fa}
              *NOTE:* This suggestion is for *JIRA Server*. Using *JIRA Cloud*? [See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-18076].
              {panel}

            Assigning anyone to global permissions such as a "Browse user" is a sure way to shoot yourself in the foot inadvertently.

            We make a vague mention of it in the documentation

            * https://confluence.atlassian.com/display/JIRA/Managing+Global+Permissions

            {quote}* if you wish to grant the permission to non logged-in users, select 'Anyone' (not recommended for production systems). Note that the 'JIRA Users' permission (i.e. permission to log in) cannot be granted to 'Anyone' (i.e. to non logged-in users) since this would be contradictory. {quote}

            A worse impact can happen if 'Browse Project' (in Project Permissions page) is misconfigured for 'Anyone'. This may allow public search engine crawlers to index JIRA issues.

            We should add an explicit warning on the Global Permissions and Project Permissions page.

            Alternatively we could update the wording description like was done in JRA-29503. That is, we could change "Anyone" to "Public" (or "Anonymous and JIRA users").
            		New: {panel:bgColor=#e7f4fa}
            *NOTE:* This suggestion is for {*}JIRA Server{*}. Using {*}JIRA Cloud{*}? [See the corresponding suggestion|http://jira.atlassian.com/browse/JRACLOUD-18076].
            {panel}
            Jira admin should be able to disable the option "Anyone on the web" as Permission or as share option. Currently there is no way to disable this option in the Groups, when configuring a Permission.

              Unassigned Unassigned
              emarghidan Eduard M
              Votes:
              7 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: