Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
0
-
Description
Use case 1: As Elon Musk, I do not want my board or the press to become aware that I deployed a super-secret task force to work on a project to build an autonomous hovercraft, codename "Floaty Car." Therefore, I cannot have the whole company seeing the names of epics in the FC project. Unfortunately, even though I love love LOVE Jira software, I cannot use Jira for my FC project. Floaty fail.
Use case 2: As a consultant with multiple clients, each with their own projects but in the same, highly-competitive industry, I cannot have clients seeing the names of epics that we are working on for other clients. This creates a major security issue for me, and even though I love love LOVE Jira software (wow, I sound like Elon Musk!) alas, I cannot use Jira for my projects. In addition to the security issue, clients often accidentally assign stories to epics in other projects, which creates a mess for everyone.
For both use cases, the 100+ commenters, 157 watchers in JSWSERVER-12016 and I disagree with the Jira's comment in JSWSERVER-12016 that, "there are no known security issues with the epic link field, if a user does not have view permissions for a project then they will not see the epics for that project." True, a user may not be able to see the details of an epic itself, but the user can see the names of the epics in other projects, which is the issue.
I am marking this story symptom severity as "critical" because this issue prevents many of us from using Jira software for projects on which we would like to use it.
Thank you,
Will