We have Jira 8.13.12 and Adaptivist script runner 6.36.0.
A user has written a groovy scripts which creates Jira user groups and then edits it whenever necessary.
Problem: Creating a jira user group is a jira-administrator action. We do not want this user who is not part of 'jira-administrator' user group doing this.
How do I restrict this?
Also, he has an issue open since several years and he using this to run the script. Whenever there is a comment added to the issue, the scripts are triggers and they do a bunch of jira admin things mentioned in the xmls files. We want to restrict these scripts from performing any jira-admin tasks.
You can't do this - the person you want to block must be an administrator, so anything you do to control it can be undone by them.
There are two ways to run scripts - either by a trigger that runs it (post function, listener, email handler, using a scripted field, etc) or by running it in the console function in Scriptrunner.
Only admins can use the console function, and only administrators can configure the scripts that are run by triggers.
You've said the scripts are triggered by commenting on an issue. So there's a swathe of ways you could stop this usage. You could
But, for this person to be writing scripts and adding them into Jira, they must have administrator access, so they can undo all of those things (not the delete, but they can easily set up a new issue for it)
So, take away their admin access before removing the triggers or changing the scripts.
Thank you Nic.
I went through everyone in the jira-admin and jira-nonsystem admin user group and this person isn't there as an admin. How can I check which user is this script using to make this call?
Is there a specific groovy function that is used by script runner to authenticate?
ComponentAccessor.getCommentManager().create(issue, ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser(), updateResult.toString(), false)
I assumed that : Script runner allows any regular user to access Jira-administrator functions though scripts. Which worried me, hope its not true.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The component accessor in turn provides https://docs.atlassian.com/software/jira/docs/api/7.6.1/com/atlassian/jira/component/ComponentAccessor.html#getGroupManager
Which can add users to jira user groups. Do you think they can add users to jira-administrator user group?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.