G’day Atlassian community!
To improve security in Jira, we’re restricting using issue-level grants with project permissions. Let’s go through these changes in detail.
First, let’s define issue-level grants and project permissions. Issue-level grants are
user custom field value
group custom field value
Project permissions are the permissions that operate at the project level. They are listed under the “Project permissions” category on Jira’s permission scheme page (eg: Administer Projects, Browse Projects).
Currently, it is possible to associate the above issue-level grants to project permissions. For example, one can grant the “Administer Projects” permission to a “reporter”. However, this can open up the project to users to whom it should not be visible. Someone who temporarily becomes a reporter, current assignee, etc. can get access to restricted projects/ issues within Jira during that time period. JRACLOUD-71397 and JRACLOUD-74768 describe the problem in more detail.
Going forward, to avoid such conditions and make Jira more secure, we won’t allow associating the issue-level grants to project permissions.
You will notice changes to Jira’s permissions scheme page. Any of the project permissions cannot be granted to a reporter, current assignee, user custom field value, and group custom field value. So while giving project permission either by clicking on “Grant permission” or via the “Edit” button associated with any Project permission, those issue-level grants will not appear.
Thus it is recommended to avoid using issue-level grants with project permissions.
We will roll out this change to all of our customers in phases, over the next few weeks. Since this change involves a deprecation, we strongly recommend and urge all customers to plan for and adopt the above changes. Meanwhile, we welcome feedback from you.
Here are some screenshots of the Grant permission modal on the permission schemes page that indicate the changes mentioned above
Thank you in advance for working through these changes and for your continued support.
Please reach out to us in case of any concern by commenting on this post.