-
Suggestion
-
Resolution: Unresolved
-
None
-
1
-
6
-
NOTE: This suggestion is for JIRA Service Desk Server. Using JIRA Service Desk Cloud? See the corresponding suggestion.
The customer portal is designed to ensure that only the reporter and participants of an issue can see it, as well as agents.
But if anonymous access is enabled, currently everyone becomes able to see every issue, including internal and external comments.
Therefore, the solution seems to be that it should not be possible for an anonymous user to have access to a Service Desk project.
- is related to
-
JSDSERVER-1507 Anonymous comment in a ticket causes error rendering ActivityModule in Issue Navigator
-
- Closed
-
- relates to
-
-
- Closed
-
-
- Closed
-
SDR-717 Failed to load
- links to
- mentioned in
-
Page Loading...
- was cloned as
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-2171] Anonymous user should not have access to view Service Desk issues
I arrived to this ticket from JSD-2167
I am using JIRA with Crowd in the back and SSO enabled. I am collecting tickets from external users but they cannot signup to JIRA because self signup does not support Crowd and SSO at the same time so I have to allow anonymous access on my project. I've enabled anonymous acccess and now everybody can see all tickets and internal comments.
Well done Atlassian for this bad design. Your tools cannot work with your tools. Fantastic.
Tanya – DJ Broerse linked a Support issue. Those support issues are not public, so you can't see it.
I do not have permissions to view the link referenced in the comment made by: Matthew McMahon [Atlassian] added a comment - 11/Aug/2015 2:37 PM.
"You do not have permission to view this request."
Hello,
We also have a need, where the users must also see the JIRA projet (without JSD), but JSD assumes they are "collaborators", so they can see internal comments...
=> in our humble opinion, "internal" should mean SD collaborators + SD team roles, not just anyone with the "browse project" permission
Regards
Vincent
Hi Matt,
Thanks for your answer and possible solution.
In the mindset of serving external customers I understand.
If you are serving internal customers Jira gives you the ability to give anonymous users view permission without buying a expensive user license.
It is for me hard to believe why Service Desk should remove this feature and at this moment it doesn't this suggestion will . The only problem for me is that internal comments (only for the agents) are public visible.
Cloning every issue to a normal jira project is achievable but it feels like a dirty workarround for me.
Service Desk is a fantastic addon and also great for internal development teams. I hope in the future Service Desk will still be the best addon for serving internal customers.
Regards,
DJ
DJ Broerse
added a comment - - edited Hi Matt,
Thanks for your answer and possible solution.
In the mindset of serving external customers I understand.
If you are serving internal customers Jira gives you the ability to give anonymous users view permission without buying a expensive user license.
It is for me hard to believe why Service Desk should remove this feature and at this moment it doesn't this suggestion will . The only problem for me is that internal comments (only for the agents) are public visible.
Cloning every issue to a normal jira project is achievable but it feels like a dirty workarround for me.
Service Desk is a fantastic addon and also great for internal development teams. I hope in the future Service Desk will still be the best addon for serving internal customers.
Regards,
DJ A Service Desk project is constructed in such a way, that access to tickets is carefully restricted to only the reporter, included participants and agents.
Collaborators are a different type of JIRA user, that have specifically been given access access to view the tickets on back-end.
I understand that anonymous access to a standard JIRA project is very useful for encouraging collaboration. However, the ability for anonymous access to the back-end of a Service Desk project, has security implications that go against the intended purpose.
In reading your use-case, may I ask if it would be possible for issues you would like to link to other users to view with anonymous access, be inside a standard project?
Regards
Matt
DJ Broerse
added a comment - In my opinion this is a strange conclusion.
There is a reason why issues in a project are visible to anonymous users. In https://support.atlassian.com/servicedesk/customer/portal/3/SDS-6785 I've described a use case.
In standard jira anonymous users have only view permissons on public comments, this is also expected by Service Desk and in my opinion normal behaviour.
Internal comments are comments viewable for only the people with permissions.
DJ Broerse
added a comment - In my opinion this is a strange conclusion.
There is a reason why issues in a project are visible to anonymous users. In https://support.atlassian.com/servicedesk/customer/portal/3/SDS-6785 I've described a use case.
In standard jira anonymous users have only view permissons on public comments, this is also expected by Service Desk and in my opinion normal behaviour.
Internal comments are comments viewable for only the people with permissions.
Hello,
I need to grant a user read-only access to a project but not allow them to view internal comments in that project. Is this possible?