I'm currently trying to set up a Jira Server installation for multiple clients and while reviewing/probing the Structure plugin it worked surprisingly well initially.
But what I found was that if a user creates a structure and then goes to Configure > Permissions > User he has access to the full user list of the installation.
While all other userlists (like assignee lists or "@" lists in normal Jira are aware of the current project context and the rest of Structure seems to be aware of issue accessibility of both the current user as well as the structure creator, the permission user list simply exposes all users of the installation, which is an issue especially for us since we use mail addresses as usernames and these get exposed as well, with the mail domain essentially exposing our client list.
I understand that this is an edge case and quite hard to fix, but in my opinion there should be an additional check where only users are shown that share a project with the owner of the structure. Group sharing unfortunately does not work since everybody will share the jira-software-users group for general Jira access.
Thank you for highlighting this Matthias,
This is indeed an oversight. Let me record it in our internal system. I will let you know when the problem is fixed.
Regards,
Egor Tasa
ALM Works
Does it help you internally if I open an official Atlassian support ticket for this or is this post enough?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Matthias,
I don't think Atlassian can help us here. I must note that there is a solution to the problem in general - you can restrict Browse Users permission from Global Settings. This will make users without this permission being unable to list any users (I must note that in some cases Jira does not seem to follow this setting, especially with the assignee field, but this is a different thing). However, solving the issue for the specific scenario will require quite a bit of design effort, as users that can set permissions in a structure are not acting within any context, project, or even structure yet (as people can assign permissions when the structure is still empty). I cannot promise solution to this problem (apart from Browse User setting) any time soon, but I will let you know if such a solution is found and implemented.
Regards,
Egor
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
 
 
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.