Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,463,493
Community Members
 
Community Events
176
Community Groups

Disabling / Restricting Access to Script Runner Console

The Scriptrunner plug-ins have the ability to hide some of their own functionality.  I.E. if you disable the modules "Display %" modules like "Display Script Console Web Item" and "Display Fragments" the hyperlinks to these pages are hidden.  However, this does not actually hide those pages.   If you navigate to another page, like "Built In Scripts", you can see the tabs / pages displayed in the frame for the web items that have been "hidden".   

Has anyone been able to either:

  1. Remove these pages / tabs altogether?
  2. Been able to restrict access to these tabs / pages to only certain individuals / groups:   I.E. a  SUBSET of the people allowed to access scriptrunner?


FYI - We have not been able to create a URL rewrite rule in Tomcat that works sufficiently, because when you start on another tab, like "Built In Scripts" and then select "Console" you are not actually navigating to that console page.

Thank you!

2 answers

Hi @Jim Cupples 

Depending on which ScriptRunner product you are using? I am assuming ScriptRunner for Jira? You can achieve what you are looking for using the Script Edit Permission:

https://scriptrunner.adaptavist.com/latest/jira/settings.html

When you don’t have edit permission, the Script Console tab is hidden and all other script editors are in readonly mode.

Please let me know if this helps resolve your requirements?

Kind regards,

Robert Giddings

Product Manager, Adaptavist

@Robert Giddings _Adaptavist_  I suspect he wants to allow admins to edit scripts in workflows etc, but restrict access to the console only. Using the permission mechanism, admins would lose the ability to edit all scripts.

Hi @Robert Giddings _Adaptavist_ We are looking into ScriptRunner for Jira and ScriptRunner for BitBucket.  For example, we want the ability to restrict access to certain pages or completely remove those pages in certain environments, like production, while allowing access to other pages.   One example is to completely remove the script console page and all of its functionality as it brings in security vulnerabilities. Hiding the Navigation does only that, hides the navigation.  It does not prevent a person from accessing the pages with hidden navigation.   

However, the ability to migrate / install scripts we would want to allow.

Hi @Jim Cupples ,

Thank you for your reply.

As mentioned above, the standard approach to this in ScriptRunner for Jira is to use the Script Edit Permission functionality documented here:

https://scriptrunner.adaptavist.com/latest/jira/settings.html

This will hide the Script Console and disable editing of other script edit boxes such as on Workflows etc.

However for ScriptRunner for Bitbucket this functionality does not currently exist at this time.

Repository admins do have limitations in terms of the API they can access when they write scripts due to security concerns.

Also, both ScriptRunner for Jira and ScriptRunner for Bitbucket both have audit logging, so you can track configuration changes.

ScriptRunner for Jira's audit logging is documented here: https://scriptrunner.adaptavist.com/latest/jira/audit-logging.html

ScriptRunner for Bitbucket's audit logging is documented here: https://scriptrunner.adaptavist.com/latest/bitbucket/audit-logging.html

I will also look at ways in which we can improve this area of the product.

I hope this helps a little in what you are trying to achieve?

Kind regards,

Robert Giddings,

Product Manager, ScriptRunner for Bitbucket

Hi @Jim Cupples ,

As a way of an update, please see the latest changes to what is now available regarding ScriptRunner Permissions in the docs here:

ScriptRunner for Jira: https://scriptrunner.adaptavist.com/latest/jira/settings.html

ScriptRunner for Confluence: https://scriptrunner.adaptavist.com/latest/confluence/settings.html

ScriptRunner for Bitbucket:

https://scriptrunner.adaptavist.com/latest/bitbucket/settings.html

In all ScriptRunner products, you can restrict Script Editing to just Sys Admins and a specified group of regular Admins. And can also disable the Switch User script.

In addition, in ScriptRunner for Confluence you can edit the Space Admin Permissions.

And in addition, in ScriptRunner for Bitbucket you can restrict Project and Repository scripts to only Global Admins.

Please let me know if you still have any additional permissions requirements beyond those already available in the product?

Kind regards,

Robert Giddings,

Product Manager, ScriptRunner for Bitbucket

Like Erik Axelson likes this

@Robert Giddings _Adaptavist_Thank you for this update.  I would like to pass it along to my team and review it with them.

Jim Cupples

@Robert Giddings _Adaptavist_ it would be really nice if script edit permission could be granted to a group but only in the context of workflows so that:

1) Only System admin can edit global scripts 

2) Other users specified by groups (could be jira-admins or non-admin) can still edit workflow script 

@Robert Giddings _Adaptavist_Is this limited configuration available in Cloud? I couldn't find it. We want to enable the build-in scripts for the Project managers.

Hi @Daniel Alonso ,

Currently ScriptRunner for Jira Cloud does not have this functionality.

However, the ScriptRunner for Jira Cloud team have a Nolt board, where new features can be requested.

You can find the Nolt board here: https://scriptrunner-for-jira-cloud.nolt.io/

Kind regards,

Robert Giddings

Like Jim Cupples likes this
0 votes

You might be able to achieve this with some scripted fragments.

1) a custom web panel wit a condition based on the current user's attribute to insert a meta tag that will indicate if the user has permission to the console or not

2) a custom javascript resource that includes some simple javascript to examine the meta tag created in #1 and hide the tab if warranted

Suggest an answer

Log in or Sign up to answer