Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,365,898
Community Members
 
Community Events
168
Community Groups

Announcement: Restrictions on usage of issue-level grants with Project permissions

G’day Atlassian community!

To improve security in Jira, we’re restricting using issue-level grants with project permissions. Let’s go through these changes in detail.

Context

First, let’s define issue-level grants and project permissions. Issue-level grants are

  • current assignee

  • reporter

  • user custom field value

  • group custom field value

Project permissions are the permissions that operate at the project level. They are listed under the “Project permissions” category on Jira’s permission scheme page (eg: Administer Projects, Browse Projects).

Why it is changing?

Currently, it is possible to associate the above issue-level grants to project permissions. For example, one can grant the “Administer Projects” permission to a “reporter”. However, this can open up the project to users to whom it should not be visible. Someone who temporarily becomes a reporter, current assignee, etc. can get access to restricted projects/ issues within Jira during that time period. JRACLOUD-71397 and JRACLOUD-74768 describe the problem in more detail.

Going forward, to avoid such conditions and make Jira more secure, we won’t allow associating the issue-level grants to project permissions.

What is changing in Jira?

You will notice changes to Jira’s permissions scheme page. Any of the project permissions cannot be granted to a reporter, current assignee, user custom field value, and group custom field value. So while giving project permission either by clicking on “Grant permission” or via the “Edit” button associated with any Project permission, those issue-level grants will not appear.

Thus it is recommended to avoid using issue-level grants with project permissions.

When it will reach me?

We will roll out this change to all of our customers in phases, over the next few weeks. Since this change involves a deprecation, we strongly recommend and urge all customers to plan for and adopt the above changes. Meanwhile, we welcome feedback from you.

Show me the changes!

Here are some screenshots of the Grant permission modal on the permission schemes page that indicate the changes mentioned above

Old behavior: Issue-level grants could be associated with project permissions
Screenshot 2021-08-31 at 11.20.45 PM.png
New behavior: Issue-level grants cannot be associated with project permissions
Screenshot 2021-08-31 at 10.40.14 PM.png

Thank you in advance for working through these changes and for your continued support.

Please reach out to us in case of any concern by commenting on this post.

Best,

Varad Pingale

Jira PM

1 comment

G subramanyam Community Leader Aug 20, 2022

Thank you @Varad Pingale for the updates and announcement. It surely takes time for me to sync with the changes.

Comment

Log in or Sign up to comment