[JSDSERVER-3267] Users without the proper Global Permissions should not be able to Upgrade the Permission Scheme

Type: Suggestion
Resolution: Duplicate
Fix Version/s: None
Component/s: Licensing & Permissions
Labels:
None

Feedback Policy:

We collect Jira Service Desk feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

NOTE: This suggestion is for JIRA Service Desk Server. Using JIRA Service Desk Cloud? See the corresponding suggestion.

Problem Definition

Users that do not have the JIRA Administrator Global Permission are able to make Permission Scheme changes.

Login as a user with the JIRA Global Permission of at least JIRA Administrator or more.
Modify the Service Desk Project Permission Scheme. In this case, we removed all users from having the Permission to Delete Issues. Some organizations have the requirement to NOT Delete any Issues in their Service Desk Project.
Login as a User that DOES NOT have the JIRA Administrators Global Permission, but is a Service Desk Project Admin.
This User will receive a Yellow and White Pop-up box that says: "This service desk project may not work as expected. View details and repair the problem"
This User receives the "Permission scheme error" with the button "Upgrade Permission Scheme". The User that DOES NOT have the JIRA Administrator Global Permission clicks this button.
The ability to Delete Issues has been added back to the Permission Scheme.

Workaround

Only have Project Admins that you want to be able to modify Permission Schemes be able to be Service Desk Project Admins. This is not the case with JIRA Core Projects. In JIRA Core Projects, you can have a Project Administrator NOT have to have the JIRA Administrator Global Permission. Those Project Admins do not have the ability to make changes to Permission Schemes. This should be the case with Service Desk as well.

duplicates

JSDSERVER-905 Project administrator is able to migrate Permission Scheme

Closed

is related to

JSDSERVER-905 Project administrator is able to migrate Permission Scheme

Closed

relates to

JSDCLOUD-3267 Users without the proper Global Permissions should not be able to Upgrade the Permission Scheme

Closed

Katherine Yabut made changes - 19/Sep/2019 5:56 AM

Workflow	Original: JAC Suggestion Workflow [ 3010996 ]	New: JAC Suggestion Workflow 3 [ 3648409 ]
Status	Original: RESOLVED [ 5 ]	New: Closed [ 6 ]

Owen made changes - 21/Nov/2018 5:42 AM

Workflow

Original: Confluence Workflow - Public Facing v4 [ 2665098 ]

New: JAC Suggestion Workflow [ 3010996 ]

Owen made changes - 27/Apr/2018 12:20 AM

Workflow	Original: JSD Suggestion Workflow - TEMP [ 2322971 ]	New: Confluence Workflow - Public Facing v4 [ 2665098 ]
Status	Original: Closed [ 6 ]	New: Resolved [ 5 ]

Katherine Yabut made changes - 22/Jun/2017 5:54 AM

Workflow

Original: JSD Suggestion Workflow [ 2052756 ]

New: JSD Suggestion Workflow - TEMP [ 2322971 ]

Katherine Yabut made changes - 31/May/2017 12:29 AM

Workflow

Original: JSD Suggestion Workflow - TEMP [ 2048957 ]

New: JSD Suggestion Workflow [ 2052756 ]

Katherine Yabut made changes - 31/May/2017 12:25 AM

Workflow

Original: JSD Suggestion Workflow [ 1280423 ]

New: JSD Suggestion Workflow - TEMP [ 2048957 ]

jonah (Inactive) made changes - 02/Apr/2017 11:50 AM

Description

Original: h3. Problem Definition
Users that do not have the JIRA Administrator Global Permission are able to make Permission Scheme changes.

# Login as a user with the JIRA Global Permission of at least JIRA Administrator or more.
# Modify the Service Desk Project Permission Scheme. In this case, we removed all users from having the Permission to Delete Issues. Some organizations have the requirement to NOT Delete any Issues in their Service Desk Project.
# Login as a User that DOES NOT have the JIRA Administrators Global Permission, but is a Service Desk Project Admin.
# This User will receive a Yellow and White Pop-up box that says: "This service desk project may not work as expected. View details and repair the problem"
# This User receives the "Permission scheme error" with the button "Upgrade Permission Scheme". The User that DOES NOT have the JIRA Administrator Global Permission clicks this button.
# The ability to Delete Issues has been _added back_ to the Permission Scheme.

h3. Suggested Solution
Only allow users that have been granted the JIRA Administrator Global Permission - just as it is in JIRA Core Projects - be able to modify Permission Schemes. No other users with lesser JIRA Global Permissions should have the ability to see the "Upgrade Permission Scheme" button, and be able to make changes to a Permission Scheme.

h3. Workaround
Only have Project Admins that you want to be able to modify Permission Schemes be able to be Service Desk Project Admins. This is not the case with JIRA Core Projects. In JIRA Core Projects, you can have a Project Administrator NOT have to have the JIRA Administrator Global Permission. Those Project Admins do not have the ability to make changes to Permission Schemes. This should be the case with Service Desk as well.

New: {panel:bgColor=#e7f4fa}
*NOTE:* This suggestion is for *JIRA Service Desk Server*. Using *JIRA Service Desk Cloud*? [See the corresponding suggestion|http://jira.atlassian.com/browse/JSDCLOUD-3267].
{panel}

h3. Problem Definition
Users that do not have the JIRA Administrator Global Permission are able to make Permission Scheme changes.

# Login as a user with the JIRA Global Permission of at least JIRA Administrator or more.
# Modify the Service Desk Project Permission Scheme. In this case, we removed all users from having the Permission to Delete Issues. Some organizations have the requirement to NOT Delete any Issues in their Service Desk Project.
# Login as a User that DOES NOT have the JIRA Administrators Global Permission, but is a Service Desk Project Admin.
# This User will receive a Yellow and White Pop-up box that says: "This service desk project may not work as expected. View details and repair the problem"
# This User receives the "Permission scheme error" with the button "Upgrade Permission Scheme". The User that DOES NOT have the JIRA Administrator Global Permission clicks this button.
# The ability to Delete Issues has been _added back_ to the Permission Scheme.

h3. Suggested Solution
Only allow users that have been granted the JIRA Administrator Global Permission - just as it is in JIRA Core Projects - be able to modify Permission Schemes. No other users with lesser JIRA Global Permissions should have the ability to see the "Upgrade Permission Scheme" button, and be able to make changes to a Permission Scheme.

h3. Workaround
Only have Project Admins that you want to be able to modify Permission Schemes be able to be Service Desk Project Admins. This is not the case with JIRA Core Projects. In JIRA Core Projects, you can have a Project Administrator NOT have to have the JIRA Administrator Global Permission. Those Project Admins do not have the ability to make changes to Permission Schemes. This should be the case with Service Desk as well.

jonah (Inactive) made changes - 02/Apr/2017 11:50 AM

Link

New: This issue relates to ~~JSDCLOUD-3267~~ [ ~~JSDCLOUD-3267~~ ]

Marty (Inactive) made changes - 07/Oct/2016 2:57 AM

Component/s		New: Licensing & Permissions [ 44395 ]
Component/s	Original: Project Permissions [ 37590 ]

Owen made changes - 14/Apr/2016 4:08 AM

Workflow	Original: TTT: Simple Issue Tracking Workflow [ 1126160 ]	New: JSD Suggestion Workflow [ 1280423 ]
Status	Original: Done [ 10044 ]	New: Closed [ 6 ]

Assignee:: Unassigned

Reporter:: kitkat (Inactive)

Votes:: 3 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 09/Jan/2016 1:02 AM

Updated:: 19/Sep/2019 5:56 AM

Resolved:: 22/Mar/2016 4:44 AM

Jira Service Management Data Center

Details

Description

Problem Definition

Suggested Solution

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates

Backbone Issue Sync