Hi all,
similar questions to this had been asked already, but I did find a complete answer to this yet.
Especially in larger german companies it can be a requirement that Jira users are not able to list worklogs from other users. Background is that normal employees should not be able to create statistics related to work performance of their colleagues.
There are possibilities to limit worklog to certain users and groups, but I am still looking for a solution that points to permission on user+worklog level.
There some addons available to hide worklog information somehow, but to make this question even more tricky: is there a way to avoid that a user requests worklog information via REST?
Creative proposals are very welcome :-)
Christoph
Hi Christoph,
Currently you can only disable the ability to view and log work entirely by removing the project permissions, there is not an option to restrict the View-ability to different levels. So any add-on used to block the information on the front end would be able to be bypassed on the rest calls native fields functionality.
We are tracking interest on this at the following feature request, make sure to add your vote to help out in prioritization efforts :
I Do know that Tempo timesheets has more granulized work logging specific to user time tracking and it uses its own custom fields to do this so it would in theory bypass the native work log fields, and this add-on does have a "Permissions to view worklogs" feature, but I am unaware if this would block the rest calls and meet your requirements 100%, so I would recommend checking this tool out on a trial to give it a test.
Also you noted running into some local legal requirements in Germany that are blocking you here, and if you have time to do so can you please send me some details on the specific requirement restrictions you are running into for your use case as this would be helpful information, and we could look into updating the existing request or creating a secondary feature request with the info as a blocker for some additional review to bump up the priority.
Regards,
Earl
Hi @Earl McCutcheon , thanks for your quick reply.
The requirement comes from one of our customers, but I strongly assume similar requirements could exist for other companies:
Larger companies in Germany have works councils that are in place to negotiate between employees and management for specific topics. They also make sure that all work constraints are in line with German law.
https://en.wikipedia.org/wiki/Works_council#Germany
Especially when a company installs methods or tools to measure work time or work performance of employees, works councils must be involved.
One of our customer is using Jira+Tempo for time tracking, but a custom add on blocks the display of worklog information in the issue view. Works council also requested to block the possibility to read out worklog information via REST.
I think Tempo can be checked additionally as the standard REST API needs to be checked alone.
So my requirement would be to make worklogs visible to specific users or groups - in issue view and when requesting data via rest.
Christoph
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Christopher,
Thank you for the additional details and I am reading through various topics on the subject for the sources of the wiki page you linked and I am trying to make sure that I understand the requirements fully and how it is directly impacting the feature as a blocker to make sure we have accurate feedback for a full review, as the topic is a bit complicated.
First off I am primarily referencing http://www.dutchcivillaw.com/workscouncilactneth.htm as what appears to be the best source in an english version of the Works Council Act.
From my understanding with a focus on Chapter IV Article 25, and to extremely simplify the subject the Works Council itself is the base legal requirement with the purpose that the council must be consulted about specific matters with a heavy focus on matters that involve employee time or adjustments to time or workload, and privacy. Then similar in the way a Union operates the decisions they make are proposals to management enforced as local policy per organization upon an agreed upon definition of the terms by both the Council Members and the Organization as a legal contract.
Please correct me if I am misunderstanding this but how the Works Council Act is directly applied to the Feature request for varying levels of permissions of visibility into the work log is not a full legal requirement for Germany, but rather an imposed policy that must be adhered to based on the advice of the council once agreed upon but does have room for negations on the acceptable nature of the visibility depending on the needs of the organization.
Regards,
Earl
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
we are facing these requirements from Governance/Compliance as well right now. is there any update on this?
the ticket linked by @Earl McCutcheon refers to estimates specifically, we need to block visibility of logged work though, not estimates, or we will not be able to use time tracking within Jira, which is a significant limitation.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Christoph Piotrowski _catworkx_
Working for a German company as well, I was wondering whether you found a solution for your customer that you can possibly share here?
It has been 5 years and as far as I can see, there is not solution for this behaviour in the tempo app.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
HI @Earl McCutcheon ,
I try to get a direct contact from the works council of our customer. This contact could make sure that my answers are correct and provide some more background information regarding their feature requrest. I keep you updated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Earl McCutcheon ,
the link you added is pointing to a site explaining the dutch works council. I do not know details about that one. It might be very similar to the German works council. So when I talk about "works council" I am referring to Germany.
The German law pointing to works council is the "Betriebsverfassungsgesetzt" (Works Constitution Act)
http://www.gesetze-im-internet.de/englisch_betrvg/
Duties of German works councils are explined in §80 sec.1:
http://www.gesetze-im-internet.de/englisch_betrvg/englisch_betrvg.html#p0452
This page describes more readable the duties of German works councils:
https://www.howtogermany.com/pages/german-workplace-organizations.html
I am not a lawyer, but the description of your understanding seems right to me (besides the reference to durch law).
Regards
Christoph
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Christoph,
Thanks for the links to the alternate articles, I was having difficulties finding the Germany Specific information for how it applies to your case.
And this is great info, I have added the details to the internal notes of the Feature Request for additional review.
Overall I believe these do line up with the initial assessment but, per your follow up comment if you could get a direct contact from the works council of your customer to take a look and drop a verification and comment directly on the feature request noting the specifics of how this is blocking your organization, that would also be extremely beneficial.
Regards,
Earl
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I got some more feedback from the works council and want to summarize it like follows:
If Jira worklogs are available for users these could be used for "profiling". "Profiling" is mentioned especially in GDPR. It is the automized processing of personal data which can be used to judge people (e.g. their performance).
"Profiling" is not forbidden generally in GDPR, but people must have the chance to agree or disagree about their data being used for profiling.
So, GDPR might be a main reason when works council and management agree together to use a tool like Jira and at the same time want block profiling possibilities.
Again: I am not a lawyer and I just rephrase my understanding. :-)
See also this information about profiling: https://www.mailjet.com/gdpr/profiling/
We are now asking the GDPR responsible of my customer for a statement. I will update it here as soon as I get it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.