Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-8647

Allow configuration of the "Jira Administrator" permission scheme to remove access to Insight Object Schemas

    • 1
    • 9
    • We collect Jira Service Desk feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Atlassian Update – 5 July 2023

      Hi everyone,

      Thank you for your interest in this issue.

      We've reviewed this issue carefully and can understand the frustration this change has created - particularly where this presents a change from the previous configuration.

      However after discussion with our engineering team - the current permission scheme is working as designed.

      The current behaviour allows the jira-administrator control of Assets global permissions - which ensures the removal of particular edge cases that could have been exploited; and in fact makes it clear that Jira Admins have always had top-level access and ability to configure permission to issues and objects within their projects.

      We’ve updated our documentation to make it clear the “Jira Administrator” role is designed to have administrative rights for your instance of JSM and thus have access to all Object Schemas and Assets Objects. 

      Reference: https://confluence.atlassian.com/servicemanagementserver/configuring-roles-and-permissions-1044784414.html

      I have now converted this Bug to a Suggestion so that we can continue to track this request and ensure we retain the history of this ticket.

      Thank you,
      Alex

      Issue Summary

      In earlier Insight versions (8.6.12 and below), users with the Jira Administrator permissions weren't able to access Insight Object Schemas when the permission mapping was removed. 

      Steps to Reproduce

      1. Using a System Administrator account, create a user A and add only the jira-administrators group for the user.
      2. Configure the role Insight Administrator to the System Administrator group (Insight > Configure > Roles)
      3. Create a test Insight Object Schema
      4. Open the test Insight Object Schema and configure the roles only for the System Administrator group. 
      5. Login with the user A account and go to the Insight Object Schemas page (Insight > Insight Object Schemas)

      Expected Results

      The user A will not be able to see the test object schema, since the user doesn't have permission.

      Actual Results

      The user A is able to see the test object schema even without permissions.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

       


       

      The above bug report has since been shifted to a Suggestion - as the engineering team have described a change required since bundling the product into Jira Service Management DC - that requires it to be clear Jira Administrators will have access to Assets global configuration; including access to object schemas and objects within those projects. 

      This suggestion is intended to capture the customers desire to allow Admins access to configuration; but not necessarily access to all the objects within them.

        1. image-2021-08-18-12-46-21-965.png
          26 kB
          Rodrigo Jose Zaparoli
        2. image-2021-08-18-12-49-26-377.png
          38 kB
          Rodrigo Jose Zaparoli
        3. image-2021-08-18-12-56-02-448.png
          44 kB
          Rodrigo Jose Zaparoli
        4. image-2021-08-18-12-56-04-531.png
          44 kB
          Rodrigo Jose Zaparoli

          Form Name

            [JSDSERVER-8647] Allow configuration of the "Jira Administrator" permission scheme to remove access to Insight Object Schemas

            Please update the symptom severity, this issue is severly impacting security if permissions don't work as documented/expected.

            Marlon Schäfer added a comment - Please update the symptom severity, this issue is severly impacting security if permissions don't work as documented/expected.

            Penn added a comment -

            This issue is especially concerning for our efforts as we have a developer base that needs access to plugins like ScriptRunner which require Jira Administrator. These developer requires restricted access to parts of Insight but we cannot restrict it without breaking the developers ability to access ScriptRunner and other Jira Administrator required plugins.

            Penn added a comment - This issue is especially concerning for our efforts as we have a developer base that needs access to plugins like ScriptRunner which require Jira Administrator. These developer requires restricted access to parts of Insight but we cannot restrict it without breaking the developers ability to access ScriptRunner and other Jira Administrator required plugins.

              Unassigned Unassigned
              7d74d3b1a350 Rodrigo Jose Zaparoli
              Votes:
              12 Vote for this issue
              Watchers:
              18 Start watching this issue

                Created:
                Updated: