Assignee or reporter can't see issue with issue security scheme set

Aleksei Lysak May 12, 2017

Hi,

I've created 'Assignee, Reporter and Developers' issue security scheme with 'Current assignee', 'Project Role (Developers)' and 'Reporter' groups to be allowed to see the issues (based on https://confluence.atlassian.com/jirakb/how-to-limit-user-to-only-browse-issues-assigned-to-or-reported-by-them-779160753.html guide)

User is able to create issue but can't see the issue afterwards (whether he is assignee or not) unless I add user to Developers group. 

User is added to Users role for the project (via group). 

Even if I add user (as a Single User) to Security Scheme he still can't access the issue.

Thanks in advance,

Alex

 

2 answers

2 accepted

2 votes
Answer accepted
Sam Hall
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 12, 2017

Is the user definitly part of a group or role that gives them the 'Browse projects' permission for the project in question?

You mention a 'Users' role for the project, but it's possible this only grants people permission to create issues, but not browse the project.

If you set security level on a particular issue to 'none', can the user see it?

0 votes
Answer accepted
Aleksei Lysak May 12, 2017

Hi Sam,

Thanks you for your answer.

1) No he is not given access to Browse projects. As there is absolutely no point in having Security scheme if user is given access to Browse Projects.

If I add user permission to Browse projects he is able to see All issues in the project regardless of security scheme/assignee/reporter (and I want to restrict internal issues from the client)

Related issues:

https://jira.atlassian.com/browse/JRA-34389

https://jira.atlassian.com/browse/JRA-31720

 

2) No, even if I set security level on a particular issue to 'none' user still can't see it.

Regards,

Alex

Sam Hall
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 12, 2017

If you don't give 'Browse projects' somehow, then the user will never be able to see any issues in the project. That's why they can't even see the issues with with no securty level set.

'Browse projects' is the basic permission anyone needs to see an issue within the project. 

Then you use the issue security scheme on top of that to restrict the visibity of specific (or all) issues.

You can avoid those bugs you linked, because you don't need to grant the 'Browse projects' permission to 'Reporter' or 'Current Assignee'.

Instead, grant 'Browse projects' to your 'Users' role. 

To keep your issues secure, make sure all issues get your 'Assignee, Reporter and Developers' security level. Make it the default security level and bulk change any existing issues to set it.

That way, people in your 'Users' role will be able to browse the project, but they will only be able see the issues when they meet the conditions of the security level set on each issue. 

Making sure every issue has 'Assignee, Reporter and Developers' level set will stop your non-developer users from seeing all issues.

Like Dave Liao likes this
Sam Hall
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 12, 2017

Essentially, what I'm decsribing there is the workaround given in both the bugs.

Aleksei Lysak May 12, 2017

Looks like I messed it myself.

When originally set all the permissions I haven't updated the security level for older issues so that's why I could still see those with this restricted user. Done bulk update and now it works as expected.

Thanks for helping me to sort out this!

Best regards,
Alex

Sam Hall
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 12, 2017

Ah right. I think i see what happened:

You orginally had given the 'Users' role 'Browse projects', but saw that they could see older issues, so took it away.

But 'Browse projects' wasn't the cause, it was that the old issues didn't have security level set.

So the fix was:

  • Give 'Users' role back 'Browse projects'
  • Bulk change old issues to set correct security level

Is that right? Worth confirming if you can, in case if helps someone else with the same problem.

Aleksei Lysak May 12, 2017

Yes, that's exactly what happened and how it was fixed!

 

Also the default security level should have been set to new issues:


1. Choose [cog]> Issues.
2. Select Issue Security Schemes to open the Issue Security Schemes page.
3. Click the scheme name, or the Security Levels link in the Operations column, to open the Edit Issue Security Levels page.
a) To set the default security level, locate the appropriate Security Level and click Default in the Operations row.

Source: https://confluence.atlassian.com/adminjiraserver071/configuring-issue-level-security-802592414.html

Sam Hall
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 12, 2017

Awesome : ) Glad to help.

Suggest an answer

Log in or Sign up to answer