Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Disabling / Restricting Access to Script Runner Console

Jim Cupples
Jim Cupples March 11, 2020

The Scriptrunner plug-ins have the ability to hide some of their own functionality.  I.E. if you disable the modules "Display %" modules like "Display Script Console Web Item" and "Display Fragments" the hyperlinks to these pages are hidden.  However, this does not actually hide those pages.   If you navigate to another page, like "Built In Scripts", you can see the tabs / pages displayed in the frame for the web items that have been "hidden".   

Has anyone been able to either:

  1. Remove these pages / tabs altogether?
  2. Been able to restrict access to these tabs / pages to only certain individuals / groups:   I.E. a  SUBSET of the people allowed to access scriptrunner?


FYI - We have not been able to create a URL rewrite rule in Tomcat that works sufficiently, because when you start on another tab, like "Built In Scripts" and then select "Console" you are not actually navigating to that console page.

Thank you!

Answer
Watch
Like Be the first to like this
1373 views

2 answers

0 votes
Robert Giddings [Adaptavist]
Robert Giddings [Adaptavist]
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 13, 2020

Hi @Jim Cupples 

Depending on which ScriptRunner product you are using? I am assuming ScriptRunner for Jira? You can achieve what you are looking for using the Script Edit Permission:

https://scriptrunner.adaptavist.com/latest/jira/settings.html

When you don’t have edit permission, the Script Console tab is hidden and all other script editors are in readonly mode.

Please let me know if this helps resolve your requirements?

Kind regards,

Robert Giddings

Product Manager, Adaptavist

View More Comments
Peter-Dave Sheehan
Peter-Dave Sheehan
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 13, 2020

@Robert Giddings [Adaptavist]  I suspect he wants to allow admins to edit scripts in workflows etc, but restrict access to the console only. Using the permission mechanism, admins would lose the ability to edit all scripts.

Like
Jim Cupples
Jim Cupples March 16, 2020

Hi @Robert Giddings [Adaptavist] We are looking into ScriptRunner for Jira and ScriptRunner for BitBucket.  For example, we want the ability to restrict access to certain pages or completely remove those pages in certain environments, like production, while allowing access to other pages.   One example is to completely remove the script console page and all of its functionality as it brings in security vulnerabilities. Hiding the Navigation does only that, hides the navigation.  It does not prevent a person from accessing the pages with hidden navigation.   

However, the ability to migrate / install scripts we would want to allow.

Like
Robert Giddings [Adaptavist]
Robert Giddings [Adaptavist]
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 17, 2020

Hi @Jim Cupples ,

Thank you for your reply.

As mentioned above, the standard approach to this in ScriptRunner for Jira is to use the Script Edit Permission functionality documented here:

https://scriptrunner.adaptavist.com/latest/jira/settings.html

This will hide the Script Console and disable editing of other script edit boxes such as on Workflows etc.

However for ScriptRunner for Bitbucket this functionality does not currently exist at this time.

Repository admins do have limitations in terms of the API they can access when they write scripts due to security concerns.

Also, both ScriptRunner for Jira and ScriptRunner for Bitbucket both have audit logging, so you can track configuration changes.

ScriptRunner for Jira's audit logging is documented here: https://scriptrunner.adaptavist.com/latest/jira/audit-logging.html

ScriptRunner for Bitbucket's audit logging is documented here: https://scriptrunner.adaptavist.com/latest/bitbucket/audit-logging.html

I will also look at ways in which we can improve this area of the product.

I hope this helps a little in what you are trying to achieve?

Kind regards,

Robert Giddings,

Product Manager, ScriptRunner for Bitbucket

Like
Robert Giddings [Adaptavist]
Robert Giddings [Adaptavist]
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 20, 2020

Hi @Jim Cupples ,

As a way of an update, please see the latest changes to what is now available regarding ScriptRunner Permissions in the docs here:

ScriptRunner for Jira: https://scriptrunner.adaptavist.com/latest/jira/settings.html

ScriptRunner for Confluence: https://scriptrunner.adaptavist.com/latest/confluence/settings.html

ScriptRunner for Bitbucket:

https://scriptrunner.adaptavist.com/latest/bitbucket/settings.html

In all ScriptRunner products, you can restrict Script Editing to just Sys Admins and a specified group of regular Admins. And can also disable the Switch User script.

In addition, in ScriptRunner for Confluence you can edit the Space Admin Permissions.

And in addition, in ScriptRunner for Bitbucket you can restrict Project and Repository scripts to only Global Admins.

Please let me know if you still have any additional permissions requirements beyond those already available in the product?

Kind regards,

Robert Giddings,

Product Manager, ScriptRunner for Bitbucket

Like Erik Axelson likes this
Jim Cupples
Jim Cupples October 20, 2020

@Robert Giddings [Adaptavist]Thank you for this update.  I would like to pass it along to my team and review it with them.

Jim Cupples

Like
Peter-Dave Sheehan
Peter-Dave Sheehan
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
October 20, 2020

@Robert Giddings [Adaptavist] it would be really nice if script edit permission could be granted to a group but only in the context of workflows so that:

1) Only System admin can edit global scripts 

2) Other users specified by groups (could be jira-admins or non-admin) can still edit workflow script 

Like
Daniel Alonso
Daniel Alonso August 3, 2022

@Robert Giddings [Adaptavist]Is this limited configuration available in Cloud? I couldn't find it. We want to enable the build-in scripts for the Project managers.

Like
Robert Giddings [Adaptavist]
Robert Giddings [Adaptavist]
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
September 23, 2022

Hi @Daniel Alonso ,

Currently ScriptRunner for Jira Cloud does not have this functionality.

However, the ScriptRunner for Jira Cloud team have a Nolt board, where new features can be requested.

You can find the Nolt board here: https://scriptrunner-for-jira-cloud.nolt.io/

Kind regards,

Robert Giddings

Like Jim Cupples likes this
Reply
0 votes
Peter-Dave Sheehan
Peter-Dave Sheehan
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
March 12, 2020

You might be able to achieve this with some scripted fragments.

1) a custom web panel wit a condition based on the current user's attribute to insert a meta tag that will indicate if the user has permission to the console or not

2) a custom javascript resource that includes some simple javascript to examine the meta tag created in #1 and hide the tab if warranted

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events