-
Suggestion
-
Resolution: Unresolved
-
None
-
104
-
6
-
Problem Definition
There is currently no setting in Service Desk that prevents Agents from adding customers to a project by using the "Add Customers" button from the Project page:
Suggested Solution
There is a setting in JIRA Admin > Applications > JIRA Service Desk > Configuration that prevents Agents from adding new organizations, so it might be helpful to have a similar setting here as well that prevents agents from adding new customers:
Workaround
- Disable outgoing email from JIRA Admin > Outgoing email.
However, this setting will impact the entire JIRA instance and no more JIRA notifications will be sent; or - Hide the button via CSS added to the announcement banner:
Atlassian Support cannot guarantee the provision of any support for the steps described below as customizations are not covered under Atlassian Support Offerings. Please be aware that this material is provided for your information only and that you use it at your own risk.<style type="text/css"> button.aui-button.js-invite-customers { display: none; } </style>
- is related to
-
- Gathering Interest
-
- Gathering Interest
-
- Gathering Interest
-
- Gathering Interest
-
- Under Consideration
- relates to
-
- Gathering Interest
- links to
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-5463] Prevent Service Desk Agents from Creating New Customers from the Project Page
There are several tickets for the "unfortunately" missing function.
This ticket was created in 2018 and here is not only missing a statement if Atlassian plans to add this feature and a time estimate when this will happen!
This kind of important functionality should be able to be implemented within 4 years in my opinion.
@Atlassian what is the status here when will this feature be implemented?
Any news about the freature any way to prevent Service Desk Team to add customers?
Hello,
+1 for this, this creating confusion in terms of user management and preventing some of our AD accounts for which some agents have also created a local account from using the tool properly. Please implement the possibility to enable this feature soon.
Thank you.
Our Jira instance is AD-provisioned. We only use the Internal Directory for last-instance admins.
This happened today:
- A user requested Jira Service Desk access for an external agency. Said user is an admin of this SD project.
- While IT was working on this, the user manually added the agency via email to the SD project. Licences couldn't be assigned this way so use was limited, but the agency could now read everything in the project, with no prior HR or IT approval. This user was added to Jira Internal Directory, which again, we don't use.
This is unacceptable. The CSS workaround does not, in fact, work and we cannot disable email. I'm left with no choice but to remove all admins from Jira SD projects, which is incredibly inconveniente. Atlassian, we NEED an option to disable this "Add Customer" button, it's a massive security flaw and I cannot understand how on earth it got past QA.
wow just discovered this issue! How is this not possible not Atlassian!
Tried the workaround this morning - have now got organizations and customers hidden so hopefully this will work and there isn't another loophole somewhere
We did find one workaround. Using app "Extension for Jira Service Desk", we locked down visibility of the portal to certain user groups.
This is a huge issue for us as well. Jira admins should only be able to add users to the system.
With the current add customer functionality, project admins who are not aware of the Jira user base can open up access to their portals unintentionally which make contain references to intellectual property or sensitive information, if they set the customer permissions to "Customers who have an account on this Jira site"
Customer permissions:
Who can raise requests?
- Customers who are added to the project
- Customers who have an account on this Jira site
- Anyone can email the service desk or raise a request in the portal
Quote from JSD Customer permissions project settings: "If anyone can raise a request, Service Desk creates an account for anyone customers share with." - on practise this does include situations, when agent CC'ing someone and reply is being sent to incoming mail handler.
Thus if we do not want Service Desk to create an account for anyone (based on 'sharing' or CC'ing), we need to remove "Service desk customer - portal access" from "Create Issues" permission and add some specific access group instead.
And also set "Who can customers share requests with?" to "Other customers in their organization" in "Customer permissions" for JSD project settings.
This configuration will fully prevent adding any new customers via any means by service desk agents.
Although JSD will start showing "configuration error" notice, each time one accessing this project's configuration.
Hi all,
Has there been any movement on this feature request? Can anyone suggest a workaround besides the one mentioned in the description for the interim?
There are any new updates for this issue?
We have a company-wide process for creating and deleting customer accounts across all our applications, including Confluence for example. The customer accounts are managed in a central user and group (active) directory. Therefore, allowing projects to create their own local Jira customers in their project is counterproductive. Customers should only be able to be added to a project via groups from our active directory.
Therefore, we also want to prevent new local Jira accounts from being created via the "add customer" feature.