-
Bug
-
Resolution: Duplicate
-
Low
-
None
-
3.15.0, 5.4.5, 5.4.21, 5.16.1
-
25
-
Severity 3 - Minor
-
9
-
Summary
If agenta is both an agent and a customer of an SD project (project key BSD)
And BSD-2 has a security level whereby agenta is not allowed to view it as an agent (from JIRA) but is allowed to view it as a customer (from SD Portal)
Then BSD-2 doesn't appear on the My requests page of agenta under certain conditions
Steps to reproduce
1 - Setting up User & Group & Application Access
- Create group agent-a
- Create user agenta and add him to group agent-a
- Also give agenta application access to JIRA Service Desk:
2 - Setting up Project Roles & Issue Security Scheme
- Create an Issue Security Scheme this way:
- From JIRA:
- agenta can view issues of Level A, but not Admin Level
- An admin can view issues of either level
- From Customer Portal, agenta should be able to view all issues he reports or is a participant in, regardless of security levels
- From JIRA:
- Create an IT Service Desk project and associate it with the above Issue Security Scheme
- Edit project roles and add agenta to Service Desk Team and Service Desk Customers roles, so that he will be both agent and customer:
3 - Reproducing the issue
- As admin:
- Add agenta as a participant in the sample issue that is created in the project, BSD-1 - this issue has no security level
- Raise a new request on behalf of agenta, BSD-2
- Edit BSD-2 and set security level to Admin Level
- Observe these behaviors when logged in as agenta:
- As an agent, agenta is able to view BSD-1 but not BSD-2 in JIRA, which is expected due to security levels
- From Customer Portal, agenta sees 1 in Requests / My requests, which is expected since he's the reporter of BSD-2
- However, no request shows up in the list of My requests, which is unexpected since BSD-2 should appear
- Switching to All requests, agenta sees BSD-1, which is expected since he's a participant
- Clicking BSD-1 then changing the URL to BSD-2, agenta is able to view BSD-2
- As an agent, agenta is able to view BSD-1 but not BSD-2 in JIRA, which is expected due to security levels
Workaround
- As admin, do either of the followings:
- Simply add/remove another user to/from another group that has nothing to do with the project or issue security scheme
- Remove agenta from Service Desk Team role of the project then add him back to the role
- As agenta, refresh the My requests page, and BSD-2 now shows up:
- Since only affected users are customers who are agents at the same time, another workaround is to use Agent view, where they will be able to see these ticket. In this case, agent should be allowed access by appropriate security level.
The issue may happen again intermittently, in different ways. Please refer to the Notes section below for a consistent way to reproduce it.
Notes
The issue can be consistently reproduced this way, after being temporarily worked around by tweaking project roles and/or group memberships:
- As agenta, log out
- As admin, remove agenta from jira-servicedesk-users group, so that agenta loses application access
- As admin, add agenta back to jira-servicedesk-users group, so that agenta regains application access
- As agenta, log in JIRA, not Portal
- As agenta, perform a search of project BSD in Issue Navigator so that only BSD-1 will be visible to him
- As agenta, go to Customer Portal and observe that BSD-2 disappears again
- And so on
At step 4, if agenta logs in Portal, the issue can't be reproduced whereby BSD-2 will be visible as expected. This seems to indicate that, after agenta logs in JIRA as a new agent and searches for issues in the project, Lucene is repopulated in a way that it only takes BSD-1 into account. Then when agenta goes to Portal only BSD-1 will be there.
Take note that agenta is still able to view BSD-2 by accessing its Portal URL directly.
Findings & Suggestions
- The request count and request search are expected to be in sync, but they're not. For some reason, the search result is incorrect, and it may have something to do with security levels.
- It's discovered that the request count does not use the same search that returns the search result. It performs search with security overridden which bypasses the issue security scheme.
A possible solution is to make the request search use the same search as the request count.
- is duplicated by
-
-
- Gathering Impact
-
- relates to
-
-
- Gathering Impact
-
-
JSDSERVER-5113 Make issue security field settable by customer
- Closed
- links to
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-6041] Issues do not appear on My Requests if Customer is an Agent who is denied access by the Issues' Security Level
This bug still is still present in and affects version Jira Service Management 5.16.1
As far as I'm concerned, this is a significant bug and should not wait 5-6 years to get fixed.
Our organization is running into this bug now after having on-boarded another department that is heavily impacted by this. We want to continue adding more departments into JSM, but we need Issue Security to ensure confidentiality. However, in doing so it makes it so each person on-boarded as an agent loses access to requests for other departments in the customer portal.
While this is classified as "minor" currently, it is a known bug and may prevent us from adopting JSM as our enterprise solution if we can't have customers see their requests outside of their department.
We really need Atlassian's assistance to overcome this issue for us.
This is a problem for secure environments, such as government agencies where information segregation is important to maintain security. For example, how do you:
- prevent a user with a lower clearance seeing issue details which requires a higher clearance
- allow a user with a higher level clearance to raise the classification of an issue while allowing the reporter to see their own ticket
Relying on emails just doesn't cut it because - why have Jira in the first place.
Yes, I know you can use projects but moving the issues between the projects has other issues when dealing with security classifications.
We do as well. Another workaround is to add Reporter to the Securirty level. Then the issue is shown in the Portal. However this workaround is inappropriate as the reporter (when he has access to the backend of Jira) can still read internal comments for his own tickets with the security level.
We need to get this bug fixed, because supporters/agents don´t see their requests in portal request view.
We have an two level support, supporters from first level support have to be agents and also supporters of second level support are agents. Supporters from first level support have no permission to see and work on tickets which are already in second level support. They have to check these tickets in portal view.
As long as this bug is not fixed, supporters from first level support can´t see and follow up their tickets which are in progress by second level support. They have to work with their service desk emails and can´t use portal request view. That´s not very good.
Hi everyone,
This issue has been reviewed by the Jira DC Development team.
As a result of our investigation, we've determined that this is a duplicate of JRASERVER-76927, so we'll be closing this ticket in favour of working on this there.
Thank you for your patience,
The Jira Service Desk Team