Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Permissions for "Set Issue Security"

Hello all,

I am currently preparing for the ACP-600 and stumbled upon the following issue.

On one page it says:

Set Issue Security is needed if an Issue Security Scheme has been applied to the project. The user also needs Browse Projects permission and Edit Issues.

On another page it says:

Users need the ‘Set Issue Security’ permission in the project's permission scheme to set the Security Level on an issue.  And, of course, they also need access to the project with the Browse Projects permission and have the permission to create issues.

Now my question is: Am I thinking too narrowly and it simply relates to different Issue Operations or is it a something else?

Thank you very much for your help!

Cheers!

 

3 answers

2 votes

Yes, the operations being mentioned there are technically separate and the code in Jira checks permissions for each separately, but there is some entwining.

There was a time where you could do things to a Jira issue without actually being able to see it.  Imagine that you grant me the permission to edit issues in a project, but not "browse".  If I know an issue key, I could actually use REST or a carefully constructed URL to tell Jira to edit fields on it, without seeing what is there.  Obviously, this was an obscure and clunky flaw to exploit and I never found anyone doing it (deliberately).

But that loophole has been closed now.  You can't do anything to an issue unless you can see it, meaning "browse projects".  The edit permission does what it says - you need that to make changes to an issue, including setting its security level.

I don't think the two paragraphs you've posted from the docs are quite accurate (but there may be context set in the original docs that is not coming across here)

You do not need "set issue security" if a security scheme is in place.  Except for the action of setting a security level on the issue.  People working with an issue who do not have "set issue security" simply won't be offered the "level" field for edit.

The second paragraph mentions create issue, again, I think the wider doc was only talking about creating issues.  The same point as above applies - if you want someone to be able to set security while creating a new issue, they will need the "set security level", as well as "create issue" in that project.

Hi @Florian Minterbauer it is hard to say without more context, but both paragraphs say the same (in my opinion).

You need to have the Set Issue Security permission set for users who wants to work with Security level field

  • edit Security level
  • create issue on which the Security level is mandatory and is not set by default

Hi guys,

Thanks for answering

Just to be sure:


Scenario 1:
If I create an issue and want to set a priority, then I need to be in the appropriate group and have the "Create Issue Permission + Set Issue Security Permission"?


Scenario 2:
If someone created an issue and I want to set or change the priority I have to be in the appropriate group and have the "Edit Issue Permission + Set Issue Security Permission"?


Scenario 3:
To work on an issue that has a security on it I only need to be in the appropriate group and not have the "Set Issue Security Permission" - correct?

 

Thank you very much!

1. No

The issue creator can set a priority.

As I said before, the set-security only affects the security level

2. No, as per 1.

3. If an issue has a security level, only some people can see it.  Those who can see it can do whatever the rest of ythe permision sheme says they can.

Thank you for your reply. My bad...It was already quite late in germany at that time. sorry again

I should have read through it again.
Priority should be "issue security level"


Scenario 1:
If I create an issue and want to set a security level (if the level is not set by default , then I need to be in the appropriate group/groups and have the "Create Issue Permission + Set Issue Security Permission"?


Scenario 2:
If someone created an issue and I want to set or change the security level I have to be in the appropriate group and have the "Edit Issue Permission + Set Issue Security Permission"?

Yes, those are correct, but I wanted to point out that security levels are not based entirely on groups - you can use roles, individuals and fields in them as well if you want.

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you