Managing Jira and Confluence Access for 'External Users'

Thank you, Maykenna! 

What is your experience of addressing this question with setting up a separate Jira environment that is designed to be shared with external users? That to mitigate the risk of exposing internal company information. 

Separate Jira instances would have to share their data. There are (paid) Jira Apps which can sync between instances. You could spin up some free Jira Cloud instances and most Jira Apps are free for 2-4 weeks. Lots of opportunity to do Proof of Concept work, if you want to explore that direction.

I haven't used those sync apps (yet - there has been some discussion here). I have heard that non-Cloud Jira instances probably shouldn't sign onto a sync App, as the vendors aren't supporting them (due to the pending sunsetting of some of those non-Cloud platforms).

Jira permission schemes are quite capable of "mitigating the risk of exposing internal company information", as I noted above. The key risk is the human(s) in the loop. To mitigate that, keep the themselves in sync with the admin details on this critical issue. It sounds like that's important to the business, so make it a priority.

Hi @Yordanka Terziyska

I'm Matthias and I'm part of the team behind Backbone Issue Sync, such an issue sync app, @Mykenna Cepek mentioned.

We have several customers using our app to have an internal Server/Data Center instance which is not accessible from the outside world and synchronize parts of it with an externally available instance. This external available instance may be either Server/Data Center or Cloud.

I can definitely say that we are still supporting Server & Data Center customers to synchronize with other Jira instances - no matter what the deployment type is. And I'm pretty sure that this is also true for the other issue sync apps.

If you want to have a more detailed perspective on such a scenario, you can also check out this blog post on our homepage or contact us via help@k15t.com to discuss your specific use case.

Thank you @Mykenna Cepek and @Christian Gaiser for the feedback! I really appreciate it! I have tested Backbone Issue Sync in Jira Cloud instances (have made just some basic tests to sync projects between two jira cloud instances) and yes, it is an option I am considering if we decide to go this way. Good to know who I can reach out to if this alternative becomes relevant. Thank you! 🙏

It's good to hear, @Matthias Gaiser _K15t_, that your sync app is continuing to pay attention to the Jira Server and Data Center markets.

My information came from both our own internal testing, and also from a large client who did their own substantial testing of several sync solutions, and ended up unsatisfied, creating instead their own solution using scripts and APIs.

I would still recommend Proof-of-Concept efforts to anyone, to ensure that a solution addresses all of your requirements and needs.

I totally agree doing your own proof-of-concept is key in order to get a solution that fits your needs.

If there's anything missing when you do a POC and our solution doesn't match your needs, you can always get in contact with us. I can't promise we'll add your feature, but I can promise that we're listening.

(Francis here - with the Exalate team - another issue sync app)

FYI
We are continuing supporting our apps way beyond the EOL of the underlying application.. For instance - our apps are still supporting Jira 6.3.  Although that Atlassian stopped to support this version long time ago, there are still customers actively using this environment.


Regarding the use case - there are a couple of our customers that have one central Jira (on cloud - used by the customer team).  For each of their partners (customers/suppliers) they did setup a Jira cloud instance - dedicated to one partner.

That way they avoid that information leaks between the customers themselves.
It is a more cumbersome setup - but it addresses a major concern.

More information can be found here

How does this work/look like?

Before doing the above, I had a separate Jira instance for contractors and that was a big pain because we kept having to duplicate tickets.  

Hi @Ken Siskind 

Thank you for sharing! Really appreciated! May I bother you some questions around the concerns I have using this approach? 

• What solution do you use to manage the user base, i.e. are all external users added via the Jira application? 
• If you have f ex 2-3 externally shared projects, active at the same time, wouldn't then the users in the group 'external' group see all these projects? My concern is that I might end up with several 'external' user groups and difficult to manage in the long run in a reliable way. 
• What about filters and dashboards with sharing permissions that allow any logged in user to view? Any ideas how to make sure these are not exposed to external users. Or it might be just me missing something. 

Thank you!

We have about 140 Jira projects of which 100 are customer projects, which the relevant customers have access to so we did the following:

1. Limited each customer to 10 guests (policed so inactive customers are disabled after 3 months of no activity)
2. created a group for each customer
3. created a project role that the customer group gets associated to
4. made all permission schemes project role based
5. made one generic set of schemes for issue type, workflow, screens, fields, permissions, isssue security and notifications that all customer projects use
6. made a blank template project that uses the same schemes to make pushing out issue layout changes easier to do
7. came up with a layer 4 security level using conditioned workflow loops and transition screens so only our staff can edit certain fields on screens the customers have access to
8. made all filter and dashboard permissions project based so customers can only see whats been shared with their project
9. created a custom confluence space for each customer project linked it to the JIra project
10. set the security on the confluence space so the customers can only access their projects space, we do have to copy pages from spaces the customer cannot access in order for them to see those pages but we have a plugin to make that easy.

Thank you very much @Alex Adland for sharing! Very useful! Really appreciated! 

To answer your questions:

1) For external users, we just manually invite them through Jira.  Internal users are handled through Atlassian access

2) External users can only see a project when they are added to a role on an individual project.  If they don't have the role on a project, then they have no access to that project

3) they can see a list of dashboards, but since they don't have browse access to projects they can't drill into any of them.  You got me nervous about this one, so I just re-validated that this was the case. 

We also found a few other points of exposure, despite this type of "external user lockdown" via Jira Permission Scheme:

• Shared/public filters are visible. The content of those filters isn't accessible if the underlying project isn't accessible by the external user. But the names of the filters are exposed.
• Similar to the above for Plans.
• Creation of new project Boards is still allowed.
• Changing the "Epic panel" setting under Board configuration is still allowed.