Announcement: Restrictions on usage of issue-level grants with Project permissions

G’day Atlassian community!

To improve security in Jira, we’re restricting using issue-level grants with project permissions. Let’s go through these changes in detail.

Context

First, let’s define issue-level grants and project permissions. Issue-level grants are

  • current assignee

  • reporter

  • user custom field value

  • group custom field value

Project permissions are the permissions that operate at the project level. They are listed under the “Project permissions” category on Jira’s permission scheme page (eg: Administer Projects, Browse Projects).

Why it is changing?

Currently, it is possible to associate the above issue-level grants to project permissions. For example, one can grant the “Administer Projects” permission to a “reporter”. However, this can open up the project to users to whom it should not be visible. Someone who temporarily becomes a reporter, current assignee, etc. can get access to restricted projects/ issues within Jira during that time period. JRACLOUD-71397 and JRACLOUD-74768 describe the problem in more detail.

Going forward, to avoid such conditions and make Jira more secure, we won’t allow associating the issue-level grants to project permissions.

What is changing in Jira?

You will notice changes to Jira’s permissions scheme page. Any of the project permissions cannot be granted to a reporter, current assignee, user custom field value, and group custom field value. So while giving project permission either by clicking on “Grant permission” or via the “Edit” button associated with any Project permission, those issue-level grants will not appear.

Thus it is recommended to avoid using issue-level grants with project permissions.

When it will reach me?

We will roll out this change to all of our customers in phases, over the next few weeks. Since this change involves a deprecation, we strongly recommend and urge all customers to plan for and adopt the above changes. Meanwhile, we welcome feedback from you.

Show me the changes!

Here are some screenshots of the Grant permission modal on the permission schemes page that indicate the changes mentioned above

Old behavior: Issue-level grants could be associated with project permissions
Screenshot 2021-08-31 at 11.20.45 PM.png
New behavior: Issue-level grants cannot be associated with project permissions
Screenshot 2021-08-31 at 10.40.14 PM.png

Thank you in advance for working through these changes and for your continued support.

Please reach out to us in case of any concern by commenting on this post.

Best,

Varad Pingale

Jira PM

4 comments

G subramanyam
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
August 20, 2022

Thank you @Varad Pingale for the updates and announcement. It surely takes time for me to sync with the changes.

Yatish Madhav
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 26, 2023

Hey - Looks like the 71397 issue has been deleted or made inaccessible to us? Thank you

Like Linh HOANG likes this
Linh HOANG March 20, 2023

any updates on this article? I still see "Issue-level grants can be associated with project permissions" on my Jira instance.

also the https://jira.atlassian.com/browse/JRACLOUD-71397 is not accessible anymore.

Yatish Madhav
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 22, 2023

Any update, please?

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events