Because it's current setting is public. Does this not present a security issue?
There are any number of examples where company's dashboards and filters have been made visible on Google searches simply because of incorrectly applied permissions.
How is this is not also a problem with the System Dashboard?
If it's not, good.
Just trying to get clarification to ensure our company's data is not unnecessarily at risk.
No. If a Jira dashboard is "leaking" data, then the problem is that the projects and issues are not secured. Where you've seen dashboards leaking data to Google, that data is also available by looking at the projects, issues, searches, reports, REST, and all the other places in Jira that present data.
The dashboard is not a security issue itself, it's just one of many ways to see data that has not been confgured correctly.
A dashboard will not show secured data.
Glad to be of some reassurance! I also meant to give an example:
Imagine you have four issues all labelled "important"
If your system dashboard has a gadget on it that has a saved filter of "label = important", and simply lists the issue keys with their summary.
@Nic Brough _Adaptavist_ I don't think you are correct with saying
No. If a Jira dashboard is "leaking" data, then the problem is that the projects and issues are not secured.
Even if you have projects and issues fully secured, it seems to me that there is no way how to secure e.g. the Welcome section or any content of Rich text gadget for example.
If there is no way how to make System Dashboard non-public, you effectively cannot use any widget which is not based on projects or issues.
I do consider this as a security issue indeed.
The main issue is that there is a system dashboard which by default is public. All other content is by default private. If the system was by default private and allowed to be changed to public access that would also be helpful. At the least, we should be able to turn it to private.
That is not an issue, if you set your permissions correctly. The system dashboard is needed as a landing point, and needs to be public to enable that.
If you set your permissions correctly, then people landing on it who should not see any data on it will not see that data.
You cannot set any permission for a welcome widget or rich text gadget. And yes, you usually don’t put any secret information there, but there is a large gray zone between secret and public. You are suggesting to secure the content but there is no way.
Also, imagine that those widgets could be secured. Still, is it correct that you have an accessible effectively-blank dashboard? I personally don’t think so. I want all of my Jira to be behind login. And this is not possible. And what worse: people don’t usually know it (as it’s not evident, not that it wouldn’t be documented).
Right, so don't put them on the system dashboard with anything you do not want out in public.
And the point about effectively-blank dashboard is the point. If you secure it properly, you have a dashboard that is not blank, and can be used as a public landing point.
I don't understand why you're effectively arguing for a "404 error until you click log in"
The back-and-forth here is based on descriptive vs. prescriptive perspectives. The responses are good professional responses, and can be rationalized based on the flexibility that is currently available with the existing tools.
But, we all know security is about layering... and the more layers you can secure, the better. So, sounds like food for thought, as a future feature request or enhancement.
My understanding is that the System Dashboard is not and should not be "needed as a landing point" - Issue Navigator is the alternative.
And to avoid potential problems, where the filter in the System dashboard is not public, but the board itself is - for the system integrity - the option to make the System Dashboard for "any logged in user" sounds reasonable and obvious.
First, can you "give us a good reason", why do you think that " issue navigator is a terrible place to land on first use"?
Issue Navigator allows to see all new requests, the whole picture, regardless of Issue Type/Project/KPI/etc.. for admins, at least.
In our case, for example, we have plenty of Issue Types, different teams focus on them, and they have their 'own dashboards', specific to a number of issue types, as System Dashboard cannot satisfy their needs. As a result, they land on different dashboards, and the System dashboard remains nearly unused...
I tried to create a System dashboard that would be useful for many, and resulted in overcrowd, hard to navigate one - not a good solution :(
Now, I am not asking for '404 error'. We do have the ability to make filters available for
a) specific group; b) any logged in user c) etc... but we are unable to do the same for System dashboard that uses/relies on these filters. This creates inconsistency and potential problems.
If I understand it correctly, you are focused on JIRA open to public. We have, in contrast, the small group of Jira users, and public can make requests and receive responses.
You've answered your own question there - the issue navigator is not a good landing place because of what you say in the third paragraph. As a landing place, it's never going to work for all team members, and in fact would work for no-one, as it'll just show you a list of almost certainly irrelevant issues.
Again, can you give us a good reason why the system dashboard should not be visible? The question is not about how you use it, or what you would prefer to see as a landing point, it's why you would want a 404 as your landing point?
In the third paragraph I was talking about System Dashboard - that is cannot satisfy all and could became obsolete.
I am not 'promoting' the issue navigator, but it gives you list of the most recent issues. To say that it "just show you a list of almost certainly irrelevant issues" is simply not true in our case.
Perhaps, I was not clear: in not public JIRA environment, the System Dashboard should have the option of being visible only for logged-in users. Because the inconsistency of filters, visible to logged-in users and the System dashboard, visible for all presents a potential access problem.
And there are ways to avoid 404, through exception message, for example "you are not authorized/please, login to see the page"/etc.
Does it make sense to you?
No, it makes no sense.
The question here is about hiding the system dashboard.
The system dashboard is a good landing point.
What benefit would you get from hiding it and effectively giving your users a dead end point? Instead of one that (can be or) is a useful starting point that shows them only stuff they can see, whether logged in or not.
I don't understand why you won't tell me why a landing point that's a pointless error message is better than a dashboard which can report on useful stuff and lead you to the places you need to go easily? Can you please explain that?
3."a dashboard which can report on useful stuff" - System Dashboard - "the point about effectively-blank dashboard is the point" (Nic Brough _Adaptavist_ COMMUNITY LEADER Aug 17, 2020) - you call this useful??
So, the blank dashboard is not pointless, but the error message explaining the blank screen, is?
2. "If you secure it properly, you have a dashboard that is not blank, and can be used as a public landing point" (Nic Brough _Adaptavist_ COMMUNITY LEADER Aug 17, 2020) - there is NO public landing point whatsoever for many!
1. Inability for JIRA admins to correspond filters with the System dashboard creates inconsistency and potential problems - the benefit we can 'get from hiding it'.
It's useful because you seem to be struggling with the concepts, and other people landing here should not be left hanging with your misunderstandings.
Please have another read of the earlier stuff. And then maybe answer the question of how you believe a pointless empty error message is better for the user that a dashboard that can easily be configured to be of some use to anyone landing on it?
1. I am struggling not with the concept, but with the problem the concept - "System Dashboard should be open to public and the ultimate landing point for all" - creates.
2. In fact, I did re-read the whole chain, even quoted some, but in the latest responses I see the repeated baseless statements, not arguments, sorry.
3. I think, there is no point to continue this discussion, as 'cons' points are simply ignored and not proved wrong. Thank you for your time.
Jira is a great tool to use across different departments. Forget that paperwork – switch to Jira and get that tasks done smoothly. Marketing Jira allows for a complete digital transformation of you...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events