Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-12256

improve behaviour of permissions for Assets parent child structure and hidden attrbutes

XMLWordPrintable

    • We collect Jira Service Desk feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      At the moment the behaviour in Assets for attributes hidden to users role in an inherited structure works as follows. Ex.:

      1. Create an abstract object type with inheritance.
      2. Create an attribute on the parent and set it as hidden to users role.
      3. Now iset an user or group to be user role on the schema but developer role on the child object type.
      4. Observe that this logged in user still cannot see the hidden attribute (despite he is dev on the child object type).
      5. Also observe that when setting the user or group as dev in abstract parent object type, then they can see hidden attribute in child.

      This happen because the permissions of attributes at the moment in an inherited structure follow the parent object type.

      One workaround to this behaviour is to create an attribute hidden directly into the child object type. At that point observe that a user in developers role can see the attribute.

            [JSDSERVER-12256] improve behaviour of permissions for Assets parent child structure and hidden attrbutes

            Admin @RKI added a comment -

            Hello,

            we are affected by this problem. We perceive this behavior as a major security vulnerability in Jira Assets.

            We have a large number of object types that also inherit hidden attributes. Since we use scripts to read and provide information from the attributes, manually creating the attributes is out of the question – because then the IDs of the attributes would change each time.

            In addition, the newly created attributes cannot be sorted to the correct place – only to the end.

            We kindly request that you fix this authorization error as soon as possible.

            Kind regards and thank you,
            Matthias 

            Admin @RKI added a comment - Hello, we are affected by this problem. We perceive this behavior as a major security vulnerability in Jira Assets. We have a large number of object types that also inherit hidden attributes. Since we use scripts to read and provide information from the attributes, manually creating the attributes is out of the question – because then the IDs of the attributes would change each time. In addition, the newly created attributes cannot be sorted to the correct place – only to the end. We kindly request that you fix this authorization error as soon as possible. Kind regards and thank you, Matthias 

              Unassigned Unassigned
              tmarchionni@atlassian.com Tiziana Marchionni
              Votes:
              3 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: