Hi Susan,
I understand that you are looking for a means restrict which users can export Jira issues and the comments within. I can see why you might want to restrict these internal comments, however there is a flaw in this the ability to restrict this.
The ability to see internal comments of a Service Desk project is not actually only granted only to Service Desk Agents. Technically all licensed Jira users that have permissions to that issue will be able to see all the public and internal comments on those issues. Since that is the case, the exporter in Jira is also expected to include those when that user is doing an export. This is by design though. It is meant to allow Jira Core/Software licensed users to interact internally with support agents. Meanwhile only Service Desk agent users can actually respond with public comments to the customers.
This private/public comment behavior varies slightly though if you were using an issue level security scheme. The security schemes can let you specify which issues and/or comments within that issue should have restricted visibility. These can be applied to any type of project in Jira Server (Business/Core, Software, Service Desk). Usually these are used to restrict a comment or an entire issue to only be visible to users in a group or a project role.
Essentially, what I am getting at here is that the way I would suggest to address this problem would be to lock down the project permissions first and if necessary implement a security scheme on such projects to completely prevent such users from seeing that content completely in Jira.
I'd start with checking the project permissions. If these users should not even have access to see these issues in this project, then adjusting the project permissions so that they cannot browse issues in this project will effectively hide all those issues to those users. This will prevent them seeing the issue in Jira and in turn that issue will not exist when that user does a search in the issue navigator.
If these users need to be able to see the issues, but just not specific comments, well, it gets more complicated here, because the ideal way to implement this would be to apply an issue level security scheme to that project, and the apply a security role to such comments as they are made. This way the users can still see the issue and search for it, but when they view the issue or export it, they only get back the comments that their account has rights to see.
The KB you cited can be helpful to prevent users from using the export button on the page, but that method does nothing to prevent users from using REST API calls to perform essentially the same tasks. Also if the users are advanced enough, they could simply edit the HTML using a browsers developer tools to make that button re-appear for them. Those users still technically have the permissions to use that function even though we might have implemented a CSS hack to hide the elements to the end user.
Which is why I think it would be best to push for on the front of checking/adjusting the permissions of those users first. And then if need be implement issue level security as well. These are at least two built in pieces to Jira that exist to manage these kinds of security concerns natively. In turn if you implemented these to handle this, even requests then made via the REST API by that same user would still return only what they have permissions to see, the same as the issue navigator always will.
I hope this helps, please let me know if you have any concerns or questions about this suggested approach.
Andy
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.