Community
Products
Jira Software
Questions
Restrict reporting ability in JIRA

Restrict reporting ability in JIRA

Hi,

I have a question very similar to this one: https://answers.atlassian.com/questions/10496/remove-user-ability-to-report

Would it be possible to restrict the "report" button (on the project page) to a specific group / role? (As described for dashboards here:https://answers.atlassian.com/questions/29024/dashboard-managing-permissions-for-groups#56597)

My problem is that we have VERY strict laws governing data protection and data security in Germany. Manually filtering issues and creating a report based on the query requires more effort than just selecting a report in a dropdown box. Even though employees could always filter on issues management doesn't want them to have such an easy way to do so. I hope you understand what I mean.

For the same reason I needed to "hide" the option to create a new dashboard since the dashboard offers the same functionality (like pie chart gadgets).... It's all about preventing John Doe from analyzing the worklog, solution time etc. of Jane Doe.

Any ideas?

Thank you

Christian

2 answers

1 accepted

0 votes

Answer accepted

No problem.

By raw data, I mean the data that you're entering into the system and then reporting on (although, yes, this is of course stored in the database/file system).

I quite like your Jane Doe/John Doe example, so I'll re-use it - the "raw data" in that case is the work logging that Jane is adding to issues in her project. For example "I did 4 hours on XYZ-123 on the 19th June 2012". Let's say John has access to that project (read access at least) and there's no other security settings. He'll be able to look at the worklog on XYZ-123 to see what Jane has done on it. Additionally, if he runs certain reports in Jira (workload, or a timesheet plugin etc), he'll be given information about that work, even if it's been manipulated into a summary.

So, if you make it impossible for him to see the reports, that's fine, but there is still nothing stopping him seeing the fact that Jane logged "I did 4 hours on XYZ-123 on the 19th June 2012". It might slow down any dubious analysis, or finger pointing, but he can still see, and hence extract, and hence work with, the raw data that Jane has logged it.

The point is that all the lawyers told me that the reporting was irrelevant, it's the raw data that matters. That has to be hidden from John, so that there's no way that he can do any form of analysis. If the information is privileged, he should not have access to *anything* that could expose the data to him, especially the actual raw data.

Jira does do some of this at one level - if a user cannot see an issue because of permissions, then all the properly written reporting (especially the built in stuff) will completely ignore that issue when someone runs a report. It filters the privileged data out before it even starts any analysis or reporting.

This can lead to odd reports in places where issue-level security is used - simple example - a shared dashboard with exactly the same settings was reporting a project to my InfoSec team as having 30 open issues for them to look at. When I ran it, I got a report of 6. Because I wasn't in a group that could read the protected issues. (Ok, as an admin, I can add myself, and if I bring cake to database people, I know what to look for, but you automatically have to trust admins...)