Prevent Jira Admin from Accessing LDAP Settings

RM June 27, 2018

I have created a jira-system-administrators group in hopes of preventing the jira-administrators group from having access to domain-related settings like LDAP and AD. Am I missing something or is it not possible to prevent the jira-admin from accessing LDAP settings?

2 answers

1 vote
Matt Doar
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 27, 2018
Matt Doar
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 27, 2018

But if they can't change the settings, are you concerned about them being able to view the settings?

RM June 27, 2018

I read that same article but after adding the jira-system-administrators group, the jira-administrator group still has the ability to not only view but change LDAP settings. This is a huge problem.

Matt Doar
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 28, 2018

And you made sure that the Global Permissions only has jira-system-administrators in the JIRA System Administrators area?

RM June 28, 2018

Yes

Matt Doar
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 28, 2018

Hmm. Time for an Atlassian Support ticket I think

RM June 28, 2018

Can I do that with that with a Starter license?

Matt Doar
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 28, 2018

Ah, no.

0 votes
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 28, 2018

Hi RM,

What version of Jira is this?   I just tested this in my 7.10.1 and this works as expected.

Could you show us what your global permission settings look like?  (Screenshot would be great!)  It might also help to run the SQL query of

select group_id from globalpermissionentry where PERMISSION='SYSTEM_ADMIN';

This will return to us all the group(s) that have system admin rights on your Jira site.

You can then also run in SQL

select child_name, directory_id from cwd_membership where parent_name='groupnamehere';

where you can change the groupnamehere to the group name returned in the first query.  This will provide all the users that have that permission right now.

It might also help to see

select * from cwd_directory;

Just to understand if you have multiple user directories.

Out of the box, Jira doesn't make a distinction between System admins and Jira admins. So if you are still finding that these jira-admins still have system admin rights, the only reason I can think that would be possible is if they are still members of a group that is granting that access here.

Matt Doar
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 28, 2018

The actual question was whether jira-admins can view LDAP and AD configuration. I thought that they could not, but jira-system-admins could

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 28, 2018

Jira admins can not.  Only the system admins can see or manage user directories settings like LDAP.

Matt Doar
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
June 28, 2018

Good to know. The doc page linked at the top of this thread could make that clearer I think :)

RM July 11, 2018

Apologies for the delayed response. I was running 7.9.1 but upgraded to 7.10.2 and tested again. Unfortunately, I have the same problem. My jira-system-administrators group has my domain admin account and the jira-administrator group has my regular user with no elevated access. As the jira-administrator, I can add a user to any group I wish including the Domain Admin group. I'm sure you can see why that is an issue.  I can state with certainty that the user in the jira-administrators group is not in the jira-system-administrators group. I have attached a snip of my global settings. When I View Users in each group, they are what I expect. I am not sure how to run the SQL queries against this deployment as I am using the internal database. I can dig for the particulars regarding default credentials and what kind of database is installed by default unless you have that info readily available. In your 7.10.1 environment, as a jira-administrator, can you attempt to add a user to your Domain Admin group from the group menu?

GlobalPermissions.JPG

Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 11, 2018

Please don't use the internal H2 database with Jira.  It is really only meant for evaluation purposes.  It's very prone to data loss, especially when a server is unexpectedly shutdown.   Please see the steps in Switching databases to move your Jira data to a database on the supported platforms.

Scenarios like this can get confusing quickly because Jira doesn't do a good job in the UI of indicating from which user directory that a group is coming from.  As such you can have both an LDAP group and a group in the internal user directory with the same name.   I suspect that is what is happening here from all the information we have up to this point.

I'm sure that your jira-administrator user can add users to the internal user directory's group, (provided that your external user directory in jira is setup to use Read Only with local groups, any other setting would not allow him to add ldap users into groups that exist in other user directories)  however in order to change external user directory settings, like LDAP configuration, your user needs to be in the jira-system-administrator's group.

That's why it's important to run a SQL query to figure out if the group membership is set for the user in question by an internal group to Jira, or the LDAP group.  This can be done in SQL with a query such as:

select child_name, directory_id from cwd_membership where parent_name='groupname';

The directory_id will tell us if this is internal or external.  (1=internal, any external directory will be a 5 digit number such as 10000 or 10001)   I'm guessing this jira-administrator user is adding other users to the Jira internal group, in which case we should see that in the SQL results.

 

Ultimately, I think the solution here is going to be either eliminate the 'read only with local groups option' or make sure that the group names in LDAP are not the same as the group names in Jira's internal user directory when it comes to trying to set user permissions/user membership.

RM July 11, 2018

This is for evaluation purposes only which is why I am using the internal database. The internal Jira Directory is disabled so I am not having a conflict there. I am able to add a user to my Domain Admin group as a jira-administrator and verify the update on my domain controller. This change is not happening internally to Jira, it is happening externally. Is the internal database postgres? I can track down a management console to run the SQL queries but need to know if it is even possible on the internal database.

RM July 11, 2018

Disregard on the postgres question, I see you noted it is an H2. I have never attempted to use a management tool with H2, I will see what I can find.

Suggest an answer

Log in or Sign up to answer