I'd like certain team members of ours to be able to edit global JMWE configuration (under Jira settings -> Apps), specifically, scheduled and event-based actions. Ideally, they'd be able to edit only those actions that they've created (i.e. an "edit own" permission) but it's also OK if they can edit all.
Can I somehow set up access control like this, without making them global Jira administrators?
Hi @Zoltán Lehóczky ,
unfortunately, that isn't possible, for security reasons. Once you are able to edit Actions, you are basically able to do anything that the Jira REST API offers, by using the callJira Nunjucks filter. This essentially gives you admin powers, and therefore we need to restrict that power to official Jira admins.
Actually, isn't a JMWE action only as powerful as the user account executing it? In some cases one can also select whether to run it as the current user, a selected user, or the add-on user. Because it would be possible to restrict non-administrator users to only be able to run these as their own user, thus preventing access elevation?
Well, not really. Even when you select "run as" to run a post-function, it only impacts certain calls to Jira. Most of the calls have to be made "as the app user". And in particular, Nunjucks templates and their filters run as the app user. And of course they can be run by clicking on "Test Nunjucks Template", they don't even need to be part of a workflow post-function.