We're using Stash and JIRA (integrated), and our product managers are having difficulty understanding when commits are getting merged into dev and/or release branches.
For security reasons, we don't want our product managers to be walking around with copies of the source code on their machines. However, we want them to be able to use Stash to see the source (for example, to participate in the discussion surrounding a pull request).
Is there now (or are there future plans to have) a way to separate browsing functionality (i.e., seeing the code in the web-browser and participating in the conversations around a code review) from actual git read operations (like cloning a repo)?
Re: false security -- I think that's a narrow-minded view of security. Security isn't just about access, it's also about encouraging secure behavior by making it significantly more convenient than insecure behavior, the same way that a self-locking door is part of a "more secure" strategy than a door that must be manually locked. Our product managers have laptops, and if I give them a level of access that makes it easy to clone a repo, they'll do it, and if/when a laptop gets stolen, our intellectual property will be at risk. However, if I can give them a level of access that allows them to see the source code freely in Stash (but not clone the repo), then while yes, technically they could tediously copy each file individually to their machine, that would be so laborious and inconvenient that they'd never actually do it, because it'll be far, far more convenient for them to browse the source code in Stash. What I'm asking for is a level of access that encourages more secure behavior (accessing the code online) over less secure behavior (making an offline copy). Thoughts?
Mick's comments makes a lot of sense to me. I haven't tried this but you should be able to block clone/pull/fetch etc, in fact all git interactions, using an SCM request check module: https://developer.atlassian.com/stash/docs/latest/reference/plugin-module-types/scm-request-check.html
So you could block all access to a group, or maybe block all access to users that don't have WRITE permissions to the repository.
I understand the point about false security but it seems like a reasonable mitigation in the case of stolen laptops... although encrypted hard drives are also good.
With respect to the excellent matrix here in the documentation: https://confluence.atlassian.com/display/STASH/Using+repository+permissions I'm looking for a level with only the first and third columns (browse/comment).
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs