I just noticed that everyone on the Jira Cloud can see all customers from the JSD when using a standard issue search.
How to reproduce it:
2. Click Assignee
3. Type something
4. See customers from JSD, even if you do not have access to JSD projects.
Atlassian security officers, any thoughts?
I'm one of our support managers. One of my remits is our privacy and legal support. I also am in charge of our community support, as chance has it. I've been discussing your reported issue internally to make sure I get a good response. Sorry for the delay. Now that we're past the holidays I'm ready for a reply.
You're correct, both in your technical assessment of what's happening and in your conclusion that it's not guaranteeing privacy the way one would expect. Our product team responsible for this has confirmed we are in progress on a fix for the issue. We intend to change the drop-down behavior to remove usernames. Once usernames are removed here, it should only show the display name. Sorry to have had a back and forth with you on confirming your original report.
We really do take privacy seriously, it's just that tracking down all the areas where we need to improve can be tricky and in this case we really needed your report. In fact we needed to go back and forth internally just to ensure we could indeed reproduce it.
If you need anything specific for your instance, I'm watching your support ticket as well.
thank you for getting back to this.
I do not understand what exactly do you mean by removing usernames from the drop-down and showing only the display name.
The issue is not related to what exactly is shown in the drop-down, but to the fact that all users from the Jira instance can get information about all customers from JSD. It doesn't matter if they can see only email or username.
The expected fix is to disallow that completely, i.e. only users with access to JSD should be able to access customers.
Please remember, that not only your drop-down on search form is affected, but also REST API and thus other places.
The GDPR piece is around PII (Personally identifiable information); it felt like that was your main concern. Display names is a different category than email addresses, avatars, or other PII, which is why I was keyed in on that distinction. That's particularly true on public sites like this one, but indeed applies to internal Jira instances as well.
It's true that most people choose to make display names personalized (ie it's generally their real name especially inside companies where that's their work), but the distinction from a legal perspective is still valid: the display name is different from personal data.
For example, you can choose to make a burner-account type display name here on Community or you can choose your actual name; in either case, it'd be a serious violation if we could click on your user account and see your email address, but it's not a violation if we see your actual name that you've chosen to display. If you choose to include a real picture of yourself, you should also be able to control removing it.
I think what you're after is more of a feature request around permissions control for fine-grained control around user pickers, but if I'm understanding this correctly it's not a GDPR non-compliance issue.
I can go back to our legal team for specifics if you think I'm misunderstanding? Also I will raise it as a feature request, but let's at least make sure we're seeing this the same way and I'll try to chase it up.
The first answer from Atlassian is that this is the expected result!
The situation that all employees have access to all customers emails and nothing can be done with that is expected?
What about https://www.atlassian.com/trust
We are committed to protecting the privacy of your data and your customers' data, and preventing it from unauthorized access with industry best-practices such as GDPR and Privacy Shield.
Is the above a joke?
Hi Atlassian Community! This is Teresa from the Atlassian team. My colleague Paul Buffington @Buff and I are excited to share a brand new ITSM resource we’ve created – "The Complete Guide to At...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event