-
Suggestion
-
Resolution: Unresolved
-
None
-
1
-
9
-
Hi everyone,
Thank you for your interest in this issue.
We've reviewed this issue carefully and can understand the frustration this change has created - particularly where this presents a change from the previous configuration.
However after discussion with our engineering team - the current permission scheme is working as designed.
The current behaviour allows the jira-administrator control of Assets global permissions - which ensures the removal of particular edge cases that could have been exploited; and in fact makes it clear that Jira Admins have always had top-level access and ability to configure permission to issues and objects within their projects.
We’ve updated our documentation to make it clear the “Jira Administrator” role is designed to have administrative rights for your instance of JSM and thus have access to all Object Schemas and Assets Objects.
I have now converted this Bug to a Suggestion so that we can continue to track this request and ensure we retain the history of this ticket.
Thank you,
Alex
Issue Summary
In earlier Insight versions (8.6.12 and below), users with the Jira Administrator permissions weren't able to access Insight Object Schemas when the permission mapping was removed.
Steps to Reproduce
- Using a System Administrator account, create a user A and add only the jira-administrators group for the user.
- Configure the role Insight Administrator to the System Administrator group (Insight > Configure > Roles)
- Create a test Insight Object Schema
- Open the test Insight Object Schema and configure the roles only for the System Administrator group.
- Login with the user A account and go to the Insight Object Schemas page (Insight > Insight Object Schemas)
Expected Results
The user A will not be able to see the test object schema, since the user doesn't have permission.
Actual Results
The user A is able to see the test object schema even without permissions.
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
The above bug report has since been shifted to a Suggestion - as the engineering team have described a change required since bundling the product into Jira Service Management DC - that requires it to be clear Jira Administrators will have access to Assets global configuration; including access to object schemas and objects within those projects.
This suggestion is intended to capture the customers desire to allow Admins access to configuration; but not necessarily access to all the objects within them.
Form Name |
---|
Please update the symptom severity, this issue is severly impacting security if permissions don't work as documented/expected.