Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal


  • Give kudos
  • Received
  • Given


  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Show linked issues without having permissions in other project

We are using a Jira project as an incident management tool and want to link issues from other projects (same server) to the issues in this incident management tool.

The users creating issues in the incident management project are not allowed to browse the other projects, as they are software development or test management projects with too much specific detail.

We expected the title and status of the other issues to show, but they don't. To the user of the incident management project, it looks like there's nothing linked at all.

Is there a way to show the title and status of the linked issues without granting access to the other projects?

2 answers

0 votes

That cannot be done.  If you cannot see the issue at the other end of a link, you should not be able to leak data about it just because there is a link into it from somewhere else.

If you want to see information about a linked issue, you have to let the person see it.

That's unfortunate. 

I would have expected the link to show and an error message when trying to open it ("you don't have permission to view this issue"). 

Is it not even possible to show the ID of the linked issue? When I send a link to a Jira issue via mail, the ID is shown in the URL, too. The ID doesn't seem to be a sensitive information... 

Like Malin likes this

Is there a request somewhere to vote on to get this behaviour changed? It is rather stupid to not show at least the issue id of ALL linked issues regardless of permissions. And I will note that this would not leak any information as you can actually see it in the "History" tab of the issue. It just is a pain to find there when it should be listed on the linked issues section.

Yes, and it's closed with the point that it is not secure.  Even the information that the linked issue exists can be a security leak.

Nic, that is already being leaked. Look in the "History" tab. What is and is not leaked should be configurable as a new permission level that shows a subset of data that "browse issue" gives. But that is for Atlassian to decide to implement or not. In the meantime, we hack around it. :) 

Alternatively, I believe allowing someone to "link to my issues" should give them access to see just the fields that issue links show (key, summary, status, priority). Really, linking should not rely an the "browse" permission. Overall, it is the conflating of these permissions that makes administering Jira messier than it ought to be.

For anyone that comes across this, the best I could find was this issue: JSDSERVER-3816

Like Jonas likes this
0 votes
Jonas I'm New Here Feb 17, 2021

The current implementation is a big bummer for our teams, we frequently get asked why a ticket seems not to be worked on because users cannot track the status of the blocking ticket which lies in another restricted project...

These two Requests are currently "gathering interest", but the request unfortunately was already denied by Atlassian devs in the past, so I'm not confident, this will be implemented anytime soon...

Suggest an answer

Log in or Sign up to answer

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you