Jira security/error/permissions logs

I am trying to figure out why A user is getting

"It seems that you have tried to perform an operation which you are not permitted to perform."

However to me it looks like the user should have enough permissions to do this custom transition. Does JIRA put anymore information anywhere on which permission or which action the user couldn't do?

I guess i'm looking for some kinda Audit log.

using JIRA 5.1.2

2 answers

1 accepted

0 votes
Accepted answer

Found out that the action was being executed. It's just that at the screen that JIRA is supposed to open next the user has no access to.

0 votes

You shouldn't need an audit log.

If a user can't do something, then you should be able to work it out from their login, and what they were trying to do.

What were they were trying to do? The url they hit is almost certainly the single most useful thing you can get from them, because it's quite rare to see this on a link that is offered to them, it's usually when they've followed a link to something they don't have the rights to do.

Jira deliberately (and sensibly) won't offer links to things people can't do...

Hello, As I've said in my question, To me they should be able to do what they're trying to do. So I have checked their logins and I have checked the conditions I have placed on the transitions and the permissions schemes.

It is because I could not figure it out based on these that I asked if there is any log stored anywhere, which to me seems like a sensible question.

JIRA is offering me the button to click on, so obviously it thinks the user should have permissions to do s.

The problem with the idea of a log is that there is nothing to log - they don't have the permission to do what they clicked on, so there's no action taken, and all you'll get in any log is "they landed on the no permission scheme". If you've got Apache or something in front of Jira, then you might be able to tell what screen they were on before, but that's about it. The next level of logging would be to record every single click and potential action which is complete overkill, and you'd have millions of lines of log every day.

Could you go over the permissions in detail here maybe? Are you sure they are using the user account you think they are (get them to go to their profile and check the login, not just the display name or email address). How *exactly* are they getting to the screen? You haven't said here whether they are clicking on something in Jira (which they should NOT be able to do because it generally hides actions they don't have permissions for), or hitting a URL directly (which could be a problem as they're trying to bypass a permission, or they're not giving the information it needs from the previous screen).

Just because it offers you the button to click on, does not mean it will offer it to them. Unless your account is identical to theirs (including not having admin rights) and you don't use single users in permission schemes. There's more than one place permissions are controlled, and you may also have plugins that affect it.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,702 views 17 21
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you