Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-1019

User automatically becomes collaborator by browse project permission

      I cannot understand why this should happen automatically, as it destroys the use case for many our customers Service Desk projects where the Service Desk is just an easy way to enter issues.

      Especially a workaround for JSD-270 would require giving the customers the browse project permission.

      With the internal comments hardcoded to collaborators and agents there is now no way to enter real internal comments.

      Why aren´t the permissions and service desk access regulations handled in a clean and transparent way? I.e. via permissions and roles. The current situation is way too intransparent as things are not configured in a central place and automatic actions happen with no way to correct them.

          Form Name

            [JSDSERVER-1019] User automatically becomes collaborator by browse project permission

            David Yu added a comment - - edited

            We use Service Desk for internal helpdesk, and we also don't hide issues from users (Browse is available). This basically defeats the ability for any kind of Internal Comments. I'm sure Atlassian's projects are probably configured in a similar fashion so I'm wondering how you do this internally?

            Why wasn't project roles considered here which would have made this easier: JSDSERVER-3392. Could have simply tied "Internal Comments" to each project's "Service Desk Team" role.

            David Yu added a comment - - edited We use Service Desk for internal helpdesk, and we also don't hide issues from users (Browse is available). This basically defeats the ability for any kind of Internal Comments . I'm sure Atlassian's projects are probably configured in a similar fashion so I'm wondering how you do this internally? Why wasn't project roles considered here which would have made this easier: JSDSERVER-3392 . Could have simply tied "Internal Comments" to each project's "Service Desk Team" role.

            Thomas Heidenreich added a comment - - edited

            Hello Atlassian,

            still no response on this and JSD-829 - this is really a SHOWSTOPPER ISSUE. We have customers still on Service Desk 1.2 who cannot update due to your inaction an this issue. I talked to ccapel with this on AtlasCamp, and he promised to look into this.

            Please Atlassian: find back to "legendary support"

            Thomas Heidenreich added a comment - - edited Hello Atlassian, still no response on this and JSD-829 - this is really a SHOWSTOPPER ISSUE . We have customers still on Service Desk 1.2 who cannot update due to your inaction an this issue. I talked to ccapel with this on AtlasCamp, and he promised to look into this. Please Atlassian: find back to "legendary support"

            jchorus added a comment -

            +1 for Thomas summary. I was really astonished to learn, that I cannot control INSIDE JIRA who views internal comments. We have partner companies / organizations with lots of users. For each of these organizations I set up dedicated service desks.

            Most users from the organizations submit tickets via the Service Desk portal. However, there are some specific people who help us prioritize issues on the side of the organization. These are setup as normal JIRA users in a dedicated group per company, controlled via LDAP.

            By design Service Desk 2.x treats any one who has permission to use JIRA from the "inside" as a collaborator. This equates to those people who have global USE permission. Any one how does NOT have USE permission is considered a free customer and can interact only in he at project via the customer portal.

            I am guessing the reasoning behind this setup is that it is hard to apply the normal JIRA permissions without giving the collaborators sufficient access to substitute agents and I can sympathize with your problem. However, we have to be able to restrict permissions for specific users or groups, not extend them. The prospect of applying the outlined scenario was actually one of the two capital reasons to switch to service desk for our support team.

            I must also criticize that the handling of this inside JIRA is really not transparent. For our normal projects we have this setup implemented and, to me, there was no reason to suspect that internal comments in Service Desk projects are treated differently then in other projects. I stumbled across this today by accident and it would have been highly embarrassing if internal comments had found their way to a customer in this manner. Luckily I just caught it.

            However, you may understand why I think this is not a minor issue. I hope you will consider our feedback an significantly raise the priority on this.

            Thanks for your consideration

            Jens

            jchorus added a comment - +1 for Thomas summary. I was really astonished to learn, that I cannot control INSIDE JIRA who views internal comments. We have partner companies / organizations with lots of users. For each of these organizations I set up dedicated service desks. Most users from the organizations submit tickets via the Service Desk portal. However, there are some specific people who help us prioritize issues on the side of the organization. These are setup as normal JIRA users in a dedicated group per company, controlled via LDAP. By design Service Desk 2.x treats any one who has permission to use JIRA from the "inside" as a collaborator. This equates to those people who have global USE permission. Any one how does NOT have USE permission is considered a free customer and can interact only in he at project via the customer portal. I am guessing the reasoning behind this setup is that it is hard to apply the normal JIRA permissions without giving the collaborators sufficient access to substitute agents and I can sympathize with your problem. However, we have to be able to restrict permissions for specific users or groups, not extend them. The prospect of applying the outlined scenario was actually one of the two capital reasons to switch to service desk for our support team. I must also criticize that the handling of this inside JIRA is really not transparent. For our normal projects we have this setup implemented and, to me, there was no reason to suspect that internal comments in Service Desk projects are treated differently then in other projects. I stumbled across this today by accident and it would have been highly embarrassing if internal comments had found their way to a customer in this manner. Luckily I just caught it. However, you may understand why I think this is not a minor issue. I hope you will consider our feedback an significantly raise the priority on this. Thanks for your consideration Jens

            Thomas Heidenreich added a comment - - edited

            Hello @bbaker,

            (one of) the setup(s) is as follows:

            • There are several customers within departments of clients
              • Example: client A has departments A1, A2 A3 - each of them have users (customers) A1.john, A2.bill, A2.jane, A2.alice, A3.bob, A3.carol, ...
            • The department lead (A2.bill) wants to see all issues of his employees, i.e A2.bill needs to see issues of A2.jane and A2.alice, but not of A1.john, A3.bob and A3.carol. Therefore we give A2.bill access to JIRA for monitoring and use the Service Desk for issue creation.
            • But A2.bill must not see internal comments, which is impossible at the moment as he automatically becomes collaborator

            Even resolving JSD-270 would not give A2.bill all he needs, as he also wants to have dashboards and (his departments) issues charts embedded on confluence pages - he definetly needs the browse project permission.

            It is absolutely no problem, that A2.bill would use up a JIRA license as he can use it, but we need the ability to control who is collaborator and who isn´t regardless of JIRA access.

            To sum it up: the main problem is that anyone with JIRA access to a Service Desk project can view internal comments - this happens because he automatically becomes collaborator and there is no way to hide comments from collaborators (see JSD-1020, JSD-829)

            Thomas Heidenreich added a comment - - edited Hello @bbaker, (one of) the setup(s) is as follows: There are several customers within departments of clients Example: client A has departments A1, A2 A3 - each of them have users (customers) A1.john, A2.bill, A2.jane, A2.alice, A3.bob, A3.carol, ... The department lead (A2.bill) wants to see all issues of his employees, i.e A2.bill needs to see issues of A2.jane and A2.alice, but not of A1.john, A3.bob and A3.carol. Therefore we give A2.bill access to JIRA for monitoring and use the Service Desk for issue creation. But A2.bill must not see internal comments, which is impossible at the moment as he automatically becomes collaborator Even resolving JSD-270 would not give A2.bill all he needs, as he also wants to have dashboards and (his departments) issues charts embedded on confluence pages - he definetly needs the browse project permission. It is absolutely no problem, that A2.bill would use up a JIRA license as he can use it, but we need the ability to control who is collaborator and who isn´t regardless of JIRA access. To sum it up: the main problem is that anyone with JIRA access to a Service Desk project can view internal comments - this happens because he automatically becomes collaborator and there is no way to hide comments from collaborators (see JSD-1020 , JSD-829 )

            ɹǝʞɐq pɐɹq added a comment - - edited

            I am not 100% sure of your desired setup here so I cant give you a specific answer. If you could outline what you are trying to achieve in more detail that will help.

            but i can give you some back ground on our design intentions.

            By design Service Desk 2.x treats any one who has permission to use JIRA from the "inside" as a collaborator. This equates to those people who have global USE permission. Any one how does NOT have USE permission is considered a free customer and can interact only in he at project via the customer portal.

            So if you want your JIRA USE permission people (aka people who can see parts of JIRA from the inside) to only interact via the customer portal on a particular project then you need to do the following.

            • remove them from getting BROWSE permission via standard JIRA groups / roles directly
              • This will remove them from being collaborators on this project
            • add them to the "Service Desk Customers" role either via the Service Desk peoples page or the JIRA admin project roles page.
              • This will allow them customer portal access to this project

            ɹǝʞɐq pɐɹq added a comment - - edited I am not 100% sure of your desired setup here so I cant give you a specific answer. If you could outline what you are trying to achieve in more detail that will help. but i can give you some back ground on our design intentions. By design Service Desk 2.x treats any one who has permission to use JIRA from the "inside" as a collaborator. This equates to those people who have global USE permission. Any one how does NOT have USE permission is considered a free customer and can interact only in he at project via the customer portal. So if you want your JIRA USE permission people (aka people who can see parts of JIRA from the inside) to only interact via the customer portal on a particular project then you need to do the following. remove them from getting BROWSE permission via standard JIRA groups / roles directly This will remove them from being collaborators on this project add them to the "Service Desk Customers" role either via the Service Desk peoples page or the JIRA admin project roles page. This will allow them customer portal access to this project

              Unassigned Unassigned
              theidenreich Thomas Heidenreich (//S)
              Affected customers:
              26 This affects my team
              Watchers:
              28 Start watching this issue

                Created:
                Updated:
                Resolved: