Uploaded image for project: 'Jira Software Cloud'
  1. Jira Software Cloud
  2. JSWCLOUD-24149

Read-only Atlassian Connect app permissions for querying workflows

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Background

      Currently, Atlassian Connect apps require the ADMIN scope in order to query workflows, workflow schemes, and related read-only endpoints. Being able to query a Jira issue type's workflow transitions is important for building Jira apps that automatically transition issues under certain conditions. Currently, the only way to do this is by having the full-blown ADMIN scope associated with the app, which grants wildly excessive permissions to apps that only need to read this information. This increases the security risk associated with such apps, and cautious Jira admins may not be willing to install them.

      Suggestion

      To reduce the security risks associated with Atlassian Connect apps that need to query Jira workflows, add a new scope in between READ and ADMIN that enables this functionality, or allow the READ scope to query these API endpoints. The current description of the READ scope on the Atlassian Marketplace is Read data from the host application. Allowing that scope to read workflow configurations seems consistent with this description, so an entirely new scope may not be necessary.

      Attachments

        Activity

          People

            Unassigned Unassigned
            9893f57f6709 David Ramos
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: