-
Suggestion
-
Resolution: Unresolved
-
None
-
1
-
3
-
NOTE: This suggestion is for JIRA Portfolio Server. Using JIRA Portfolio Cloud? See the corresponding suggestion.
Summary
The current implementation of the permission handling can lead to some confusing scenarios where e.g. plan permissions get bypassed by global permissions.
The interaction of these two permission levels should be redesigned.
Scenario
- Create 2 groups - read-only and portfolio-editor.
- Grant read-only group with Portfolio Viewer permission in Portfolio global permission.
- Grant portfolio-editor group with Portfolio User permission in Portfolio global permission.
- Create 2 users - User A and User B.
- Put User A in read-only and User B in portfolio-editor.
- Create a Portfolio plan.
- Configure the plan's permission to give only User B for Viewers.
- Login with User A and try to access the plan. It is allowing this user to view it regardless of the plan's permission.
- Add portfolio-editor group to plan's permission Editors.
- Now, User A will be blocked from accessing the plan.
Expected Behavior
Portfolio should only allow User B to access the plan without the need of setting a group for Editors to enforce the permission.
- relates to
-
- Closed
-
- Closed
-
- Gathering Interest
- links to
