Show linked issues without having permissions in other project

Susanne Grein
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 28, 2018

We are using a Jira project as an incident management tool and want to link issues from other projects (same server) to the issues in this incident management tool.

The users creating issues in the incident management project are not allowed to browse the other projects, as they are software development or test management projects with too much specific detail.

We expected the title and status of the other issues to show, but they don't. To the user of the incident management project, it looks like there's nothing linked at all.

Is there a way to show the title and status of the linked issues without granting access to the other projects?

2 answers

0 votes
Jonas
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 17, 2021

The current implementation is a big bummer for our teams, we frequently get asked why a ticket seems not to be worked on because users cannot track the status of the blocking ticket which lies in another restricted project...

These two Requests are currently "gathering interest", but the request unfortunately was already denied by Atlassian devs in the past, so I'm not confident, this will be implemented anytime soon...

https://jira.atlassian.com/browse/JRASERVER-60636
https://jira.atlassian.com/browse/JRACLOUD-60636

0 votes
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
February 28, 2018

That cannot be done.  If you cannot see the issue at the other end of a link, you should not be able to leak data about it just because there is a link into it from somewhere else.

If you want to see information about a linked issue, you have to let the person see it.

Susanne Grein
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 28, 2018

That's unfortunate. 

I would have expected the link to show and an error message when trying to open it ("you don't have permission to view this issue"). 

Is it not even possible to show the ID of the linked issue? When I send a link to a Jira issue via mail, the ID is shown in the URL, too. The ID doesn't seem to be a sensitive information... 

Like # people like this
Raymond Rabu July 7, 2020

Is there a request somewhere to vote on to get this behaviour changed? It is rather stupid to not show at least the issue id of ALL linked issues regardless of permissions. And I will note that this would not leak any information as you can actually see it in the "History" tab of the issue. It just is a pain to find there when it should be listed on the linked issues section.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 8, 2020

Yes, and it's closed with the point that it is not secure.  Even the information that the linked issue exists can be a security leak.

Raymond Rabu July 8, 2020

Nic, that is already being leaked. Look in the "History" tab. What is and is not leaked should be configurable as a new permission level that shows a subset of data that "browse issue" gives. But that is for Atlassian to decide to implement or not. In the meantime, we hack around it. :) 

Alternatively, I believe allowing someone to "link to my issues" should give them access to see just the fields that issue links show (key, summary, status, priority). Really, linking should not rely an the "browse" permission. Overall, it is the conflating of these permissions that makes administering Jira messier than it ought to be.

For anyone that comes across this, the best I could find was this issue: JSDSERVER-3816

Like # people like this
Bin Liang
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 16, 2024

There is no data leaking with a new permission level that allows individuals to see the linked issues with those fields already there: key, summary, priority, assignee, and status.

Or even project setting to allow for all issues in the project to see by any individuals via linked issue section.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
May 16, 2024

I am sorry, but that is utterly wrong.

There is data leakage if you can see bits of an issue that you should not be able to see.  

If I cannot see ABC-123, but I can read its summary, assignee and status if I look at an issue that is linked to it, then the summary, assignee and status have been leaked to me.

There absolutely is leakage of data.

If you want to do this, you really should just admit that the user should be given access to see the issue at the other end of the link.  Not create security loopholes.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events