Possibilities to prevent users to see other worklogs from other users using REST

Christoph Piotrowski _catworkx_
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
May 22, 2019

Hi all,

similar questions to this had been asked already, but I did find a complete answer to this yet.

Especially in larger german companies it can be a requirement that Jira users are not able to list worklogs from other users. Background is that normal employees should not be able to create statistics related to work performance of their colleagues.

There are possibilities to limit worklog to certain users and groups, but I am still looking for a solution that points to permission on user+worklog level.

There some addons available to hide worklog information somehow, but to make this question even more tricky: is there a way to avoid that a user requests worklog information via REST?

Creative proposals are very welcome :-)

Christoph

 

 

 

 

 

 

4 answers

1 vote
Earl McCutcheon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 24, 2019

Hi Christoph,

Currently you can only disable the ability to view and log work entirely by removing the project permissions, there is not an option to restrict the View-ability to different levels.  So any add-on used to block the information on the front end would be able to be bypassed on the rest calls native fields functionality.

We are tracking interest on this at the following feature request, make sure to add your vote to help out in prioritization efforts :

I Do know that Tempo timesheets has more granulized work logging specific to user time tracking and it uses its own custom fields to do this so it would in theory bypass the native work log fields, and this add-on does have a "Permissions to view worklogs" feature, but I am unaware if this would block the rest calls and meet your requirements 100%, so I would recommend checking this tool out on a trial to give it a test.

Also you noted running into some local legal requirements in Germany that are blocking you here, and if you have time to do so can you please send me some details on the specific requirement restrictions you are running into for your use case as this would be helpful information, and we could look into updating the existing request or creating a secondary feature request with the info as a blocker for some additional review to bump up the priority.

Regards,
Earl

Christoph Piotrowski _catworkx_
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
May 26, 2019

Hi @Earl McCutcheon , thanks for your quick reply.

The requirement comes from one of our customers, but I strongly assume similar requirements could exist for other companies:

Larger companies in Germany have works councils that are in place to negotiate between employees and management for specific topics. They also make sure that all work constraints are in line with German law.

https://en.wikipedia.org/wiki/Works_council#Germany

Especially when a company installs methods or tools to measure work time or work performance of employees, works councils must be involved.

One of our customer is using Jira+Tempo for time tracking, but a custom add on blocks the display of worklog information in the issue view. Works council also requested to block the possibility to read out worklog information via REST.

I think Tempo can be checked additionally as the standard REST API needs to be checked alone.

So my requirement would be to make worklogs visible to specific users or groups - in issue view and when requesting data via rest.

Christoph

Earl McCutcheon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 29, 2019

Hi Christopher,

Thank you for the additional details and I am reading through various topics on the subject for the sources of the wiki page you linked and I am trying to make sure that I understand the requirements fully and how it is directly impacting the feature as a blocker to make sure we have accurate feedback for a full review, as the topic is a bit complicated.

First off I am primarily referencing http://www.dutchcivillaw.com/workscouncilactneth.htm as what appears to be the best source in an english version of the Works Council Act.

From my understanding with a focus on Chapter IV Article 25, and to extremely simplify the subject the Works Council itself is the base legal requirement with the purpose that the council must be consulted about specific matters with a heavy focus on matters that involve employee time or adjustments to time or workload, and privacy.  Then similar in the way a Union operates  the decisions they make are proposals to management enforced as local policy per organization upon an agreed upon definition of the terms by both the Council Members and the Organization as a legal contract.

Please correct me if I am misunderstanding this but how the Works Council Act is directly applied to the Feature request for varying levels of permissions of visibility into the work log is not a full legal requirement for Germany, but rather an imposed policy that must be adhered to based on the advice of the council once agreed upon but does have room for negations on the acceptable nature of the visibility depending on the needs of the organization.

Regards,
Earl

Martin Hilbig _GC Gruppe_ June 17, 2024

we are facing these requirements from Governance/Compliance as well right now. is there any update on this?

the ticket linked by @Earl McCutcheon refers to estimates specifically, we need to block visibility of logged work though, not estimates, or we will not be able to use time tracking within Jira, which is a significant limitation.

 

0 votes
Nadine Schuett
Contributor
March 1, 2024

Hello @Christoph Piotrowski _catworkx_

Working for a German company as well, I was wondering whether you found a solution for your customer that you can possibly share here? 

It has been 5 years and as far as I can see, there is not solution for this behaviour in the tempo app. 

0 votes
Christoph Piotrowski _catworkx_
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
June 2, 2019

HI @Earl McCutcheon ,

I try to get a direct contact from the works council of our customer. This contact could make sure that my answers are correct and provide some more background information regarding their feature requrest. I keep you updated.

0 votes
Christoph Piotrowski _catworkx_
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
June 2, 2019

Hi @Earl McCutcheon ,

the link you added is pointing to a site explaining the dutch works council. I do not know details about that one. It might be very similar to the German works council. So when I talk about "works council" I am referring to Germany.

The German law pointing to works council is the "Betriebsverfassungsgesetzt" (Works Constitution Act)

http://www.gesetze-im-internet.de/englisch_betrvg/

Duties of German works councils are explined in §80 sec.1:

http://www.gesetze-im-internet.de/englisch_betrvg/englisch_betrvg.html#p0452

This page describes more readable the duties of German works councils:

https://www.howtogermany.com/pages/german-workplace-organizations.html

I am not a lawyer, but the description of your understanding seems right to me (besides the reference to durch law).

Regards

Christoph

Earl McCutcheon
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 3, 2019

Hi Christoph,

Thanks for the links to the alternate articles, I was having difficulties finding the Germany Specific information for how it applies to your case.

And this is great info, I have added the details to the internal notes of the Feature Request  for additional review. 

Overall I believe these do line up with the initial assessment but, per your follow up comment if you could get a direct contact from the works council of your customer to take a look and drop a verification and comment directly on the feature request noting the specifics of how this is blocking your organization, that would also be extremely beneficial.

Regards,
Earl

Christoph Piotrowski _catworkx_
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
June 4, 2019

I got some more feedback from the works council and want to summarize it like follows:

If Jira worklogs are available for users these could be used for "profiling". "Profiling" is mentioned especially in GDPR. It is the automized processing of personal data which can be used to judge people (e.g. their performance).

"Profiling" is not forbidden generally in GDPR, but people must have the chance to agree or disagree about their data being used for profiling.

So, GDPR might be a main reason when works council and management agree together to use a tool like Jira and at the same time want block profiling possibilities.

Again: I am not a lawyer and I just rephrase my understanding. :-)

See also this information about profiling: https://www.mailjet.com/gdpr/profiling/

We are now asking the GDPR responsible of my customer for a statement. I will update it here as soon as I get it.

Suggest an answer

Log in or Sign up to answer