Jira Service Desk Separation

Hello Everyone,

We've recently started using Service Desk and it seems ideal to create a simplified portal for customer issue entry and updates. However, we have been unable to find any documentation or configuration to "isolate" the client from the standard Jira system.

Upon creating a test user and visiting the portal URL to login to Jira as the customer, I get access to most Jira areas (issues, search, etc.). We'd like the client to ONLY see the service desk customer portal.

I've reviewed the permissions, groups, roles and permission schemes to no avail. Can anyone confirm if what we want is possible under Service Desk?

Thanks.

5 answers

All users licensed to access Service Desk are by definition licensed to use JIRA. After all, it's really just a plugin for JIRA. To isolate the Service Desk users from the JIRA projects, you will have to configure your projects in such a way that these users don't have access to view isssues. All other areas such as search filters and JIRA Agile are based on these permissions, so if the user doesn't have access to the project then the issues won't show up in their search.

Here's the catch with this, though. The user will need to have some access to the project the service desk portal is connected to in order to fill out a request form. Here's how I plan to handle this:

  • Create a new role called "Service Desk Users"
  • Put "jira-users" group in the role to let all logged in users into it
  • Copy the permission scheme for the project, rename it and associate it with the project
  • Edit permissions on new scheme and give the Service desk user the following roles:
    • Create Issues
    • Create Attatchments

The previous permissions will let them create issues and attatchments, but nothing else. The Browse Projects permission is what will give them access to see their currently open issues. If this is turned off, they will see a zero in the counter and they won't be able to comment on the issues via the email link. If you want to let them see their issues and comment, give them these extra permissions:

  • Browse Projects
  • Add Comments
  • Edit Own Comments
  • Delete Own Comments

Once these permissions are given, the users will be able to see issues in the service desk project. Of course, they won't know what JIRA is, nor will they care to go find it. Just in case they stumble into the site, though, you will need to be diligent about what you say in your issues because the users will be able read it. If you have a confidential comment, you will need to secure it appropriately. You will also probably want to use issue level security to only let them see their own issues.

The bottom line is, lock them out of every other project they don't need to access and then give them only as much access as they need in the Service Desk-related project.

P.S. Also keep in mind that the project used by the service desk is only for receiving, triaging and resolving incidents for the end users. If you want to, you could create additional issues in a private project that they don't have access to and then link back to the original issue. We may do that with some of our workgroups.

Looks like this made it in to Atlassian's backlog:

https://jira.atlassian.com/browse/JSD-62

Until we have this built-in to servicedesk/jira, I wrote my own page that hosts the service desk customer portal and then use javascript to hide all the stuff I don't want them to access.

This method only works as long as the user stays on the page. All they have to do to break out is go directly to the servicedesk url instead of my page.

<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta charset="utf-8" />
        <title>CTS Ticket Collector</title>
    </head>
    <script type="text/javascript">
            function setInputBox(iframe) {
                if (iframe) {
                    var iframeWin = iframe.contentWindow || iframe.contentDocument.parentWindow;
                    if (iframeWin.document.body) {
                    
   // First check to see if we are on the in the service desk or view profile areas.
   // If the user got here, then redirect them.
   if (iframeWin.document.location.href.indexOf('/servicedesk/customer/hd') == -1 
    && iframeWin.document.location.href.indexOf('secure/ViewProfile.jspa') == -1 
    && iframeWin.document.location.href.indexOf('login.jsp') == -1)
   {
    iframeWin.document.location.href = 'http://helpdesk.sil.org.pg/servicedesk/customer/hd';
   } 
   else 
   {
    
                  // The current v1.0 of Jira Service Desk Customer Portal has very limited control types
                   // and doesn't provide an option to set an input box to type password.
                  // Since we ask for the password on some of the customer portal forms for our help desk,
                  // we load the page in a frame and onload of the document, we find any input box that has a
                  // label which includes the word "Password" and we set it's type to password.
                         var elements = iframeWin.document.getElementsByTagName('label')
                         for (var i = 0; i < elements.length; i++)
                         {
                              var label = elements[i];
                              if (label.textContent.indexOf("Password") != -1 || label.textContent.indexOf("password") != -1) {
                                  var box = iframeWin.document.getElementById(label.htmlFor);
                                  if (box) box.type = "password";
                              }
                         }

                         // Also do this for dt and change the corresponding dd to stars. This is in the case
                         // where the user can review thier issue in summary form. We don't want their password
                         // showing here either.
                         var elements = iframeWin.document.getElementsByTagName('dl')
                         for (var i = 0; i < elements.length; i++) {
                              var dl = elements[i];
                              if (dl.textContent.indexOf("Password") != -1 || dl.textContent.indexOf("password") != -1) {
                                  var dd = dl.lastChild;
                                  if (dd) dd.textContent = "********";
                              }
                         }

    // Now hide other elements we don't want visible to the customer portal
    // users. At least until Jira gets an update out that does this for us.
    try { iframeWin.document.getElementById('home_link').style.visibility ='hidden'; } catch (err) {}
    try { iframeWin.document.getElementById('greenhopper_menu_no_project').style.visibility ='hidden';} catch (err) {}
    try { iframeWin.document.getElementById('system-help-menu').style.visibility ='hidden';} catch (err) {}
    try { iframeWin.document.getElementById('quicksearch').style.visibility ='hidden';} catch (err) {}
    //try { iframeWin.document.getElementById('user-options').style.visibility ='hidden';} catch (err) {}
    try { iframeWin.document.getElementById('browse_link').style.visibility ='hidden';} catch (err) {}
    try { iframeWin.document.getElementById('greenhopper_menu').style.visibility ='hidden';} catch (err) {}
    try { iframeWin.document.getElementById('servicedesk-section').style.visibility ='hidden';} catch (err) {}
    try { iframeWin.document.getElementById('find_link').style.visibility ='hidden';} catch (err) {}
    try { iframeWin.document.getElementById('navigator-options').style.visibility ='hidden';} catch (err) {}
    try { iframeWin.document.getElementById('create-menu').style.visibility ='hidden';} catch (err) {}
    try { iframeWin.document.getElementById('activity-profile-fragment').style.visibility ='hidden';} catch (err) {}
    try { iframeWin.document.getElementById('quicklinks').style.visibility ='hidden';} catch (err) {}
    if (iframeWin.document.location.href.indexOf('secure/ViewProfile.jspa') != -1)
     try { iframeWin.document.getElementById('user-options').style.visibility ='hidden';} catch (err) {}

    }

    try { iframeWin.document.getElementById('login-form-remember-me').disabled = 'disabled';} catch (err) {}
    try { iframeWin.document.getElementById('sign-up-hint').textContent = "Don't have an account? To submit your request, please contact the CTS Helpdesk at extension 4173.";} catch (err) {}
    try { iframeWin.document.getElementById('login-form-cancel').style.visibility ='hidden';} catch (err) {}


    iframe.style.visibility = 'visible';
                 }
      
             }

 }

 function init_content_monitor() {
    var iframe = document.getElementById('collectTicket');
    iframe.style.visibility = 'hidden';
 }
    </script>
    <body style="margin:0px;">
 <div style="background-color:#f5f5f5;position:absolute;top:0;left:0;height:100%;width:100%" height="100%" width="100%"></div>
 <iframe id="collectTicket" src="http://helpdesk.sil.org.pg/servicedesk/customer/hd" frameborder="0" style="overflow:hidden;overflow-x:hidden;overflow-y:hidden;position:absolute;top:0px;left:0px;right:0px;bottom:0px;height:100%;width:100%;" onload="setInputBox(this);" height="100%" width="100%" />
    </body>

</html>

Also, as another way to try and keep users where I want them, I added the following script to the Announcement banner for public (System/ g + g + Announcement) so that it will change the normal default page from the daskboard login to my page.

<script>
if((jQuery('#header-details-user-fullname').text().indexOf(" ") ==-1 
    && window.location.href.indexOf("/secure/Dashboard.jspa") != -1) 
   || (window.location.href.indexOf("/servicedesk/customer/hd") != -1 
    && window.parent.location.href.indexOf("/ticket.htm") == -1))
{ 
 window.location = contextPath+"/ticket.htm" 
}
// Notify top window of the unload event
window.parent.init_content_monitor();
</script>

We want to have multiple clients accessing the service desk module, with the ability to see just their own issues via the portal.

However, it does not seem possible to configure Jira/Service Desk in such a way that clients can not log into Jira directly and see ALL issues relating to ALL clients, since the "Browse Project" permission that they need to access the service desk.

This seems to be a huge limitation, and would present a commercial risk unaccepatable to our clients. We could create one project per client, but then we would have to have separate eervice desks for each, since each service desk can only sit on a single project.


Am I missing something here?

It might be possible with a plugin. I could try to write one later if needed. Well, that is if your OK with using it. However, I will note that this is something that should be added to JIRA Service Desk itself.

Restricting certain users to only see the customer portal, without accessing the rest of JIRA, is not possible in Service Desk right now.

However, we are currently investigating different ways of enabling that situation. You can watch the feature request at https://jira.atlassian.com/browse/JSD-36 to be informed of any updates.

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Bridget Sauer
Published Mar 09, 2018 in Jira Service Desk

E.L. Fridge's take on education, Jira Service Desk, and creative Jira use cases

...word of mouth, so by 2016, we were working with several other entities on campus to implement Jira Service Desk . The Atlassian motto of “for every team” has really come true for us in this case. We...

1,231 views 2 14
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you