Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Permissions for editing JMWE configuration

I'd like certain team members of ours to be able to edit global JMWE configuration (under Jira settings -> Apps), specifically, scheduled and event-based actions. Ideally, they'd be able to edit only those actions that they've created (i.e. an "edit own" permission) but it's also OK if they can edit all.

Can I somehow set up access control like this, without making them global Jira administrators?

Thank you!

1 answer

1 accepted

2 votes
Answer accepted

Hi @Zoltán Lehóczky ,

unfortunately, that isn't possible, for security reasons. Once you are able to edit Actions, you are basically able to do anything that the Jira REST API offers, by using the callJira Nunjucks filter. This essentially gives you admin powers, and therefore we need to restrict that power to official Jira admins.

I see, thank you.

Actually, isn't a JMWE action only as powerful as the user account executing it? In some cases one can also select whether to run it as the current user, a selected user, or the add-on user. Because it would be possible to restrict non-administrator users to only be able to run these as their own user, thus preventing access elevation?

Well, not really. Even when you select "run as" to run a post-function, it only impacts certain calls to Jira. Most of the calls have to be made "as the app user". And in particular, Nunjucks templates and their filters run as the app user. And of course they can be run by clicking on "Test Nunjucks Template", they don't even need to be part of a workflow post-function.

Suggest an answer

Log in or Sign up to answer
Site Admin

Atlassian Community Events