The recent Atlas CRM cloud update included the removal of Jira groups to control access which in turn replaced any access previously configured with allowing access to all Jira users.
This is extremely poor for a number of reasons:
- It provides previously unauthorised users with access to data, some of which is classified as 'Personally Identifiable Information' (PII) which is within the scope of the GDPR. Therefore, this change could result in legal and regulatory privacy issues for users of this application.
- Going forward, permissions are applied to users rather than groups. Even though you can 'bulk' add users based on selecting a group which in turn returns group members to add, for any future updates, you'll need to repeat the process rather than just specify the group once and then handle membership accordingly (e.g. through an automated well defined Joiner-Mover-Leaver (JML) process). This increases admin overhead and the risk of access configuration issues / unauthorised access (e.g. a Jira user moves teams, for which there is a group and they're a member of, following which they are removed from the group (let's say 'CRM Users'), however that user will remain in Atlas CRM unless a CRM admin removes the individual account from the permissions list.
I've raised a ticket with the vendor about this but thought I would call it out for anyone else that may have experienced the same or isn't yet aware.
