Hi everyone,
I already asked a similar questions some days ago, but now the specifics have changed a bit and I would like to rephrase.
The problem we have is that we cannot allow all customers from an organization to automatically see all issue of that organization. Per default configuration all issues will be shared to everyone if the reporter is member of a organization.
Simply stated we have a problem regarding confidentiality of the created issues. Example:
A manager of a customer creates an issue informing us of an upcoming termination of an employee of theirs. With the default configuration the employee could just login to our service desk and see that he is about to be fired. He could then damage the company in some way, knowing he is about to be let go anyway.
Just one of many examples, but in my opinion it is only logical to restrict the normal employee form viewing tickets that a manager or director put in.
Now, I know about issue security schemes and I also know we could set them manually if we see a confidential issue popping up. However, from a management perspective it is just not possible to keep on top of 100-200 issues/day with 30+ customers reporting them.
So what we tried was to create an issue security scheme which restricts all issues to be view able by the reporter only. This works in the sense that members of the same organization can no longer see it in the service desk. However, we then run into this bug: https://jira.atlassian.com/browse/JSDSERVER-3507
So setting that security scheme works at first, but as soon as someone tries to comment (via email) an issue where he is not the reporter AND tries to add an attachment (even just a picture in a signature) the comment gets rejected.
So going forward I thought about possible solutions:
- Somehow disable the automatic sharing of issues within an organization, maybe with an add-in.
- Removing the organization from the issue does not work for us without reworking all of our SLA rules.
- Disable the helpcenter somehow to prevent users from logging in and creating/seeing issues.
- This would allow us to keep the default configuration since only customers who know the issue number or have a JIRA recognized mail-thread can comment.
- Delete all organizations and group customers differently. Rewrite all SLA rules. Remove issue security scheme.
- Essentially we "convert" each organization into a group manually and rewrite the SLA rules to check if the reporter is in a given group to set the correct response time as defined in the respective contract.
- Issues would no longer be shared and therefore not be displayed in the helpcenter for everyone but the reporter and manually added customers because we eliminated the organizations.
- What I am not sure about is if everyone will be able to comment on every issue if the issue number is known. I think it should be possible if I grant the "anyone" group the add comment permission in the project permissions.
So I would like to ask you guys if you maybe know of a different solution. If there is none then I'm leaning more towards number 3.
Thanks for all responses in advance!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.