Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,456,707
Community Members
 
Community Events
176
Community Groups

Jira script runner - is being used to create jira user groups. Would want to restrict that.

We have Jira 8.13.12 and Adaptivist script runner 6.36.0.

A user  has written a groovy scripts which creates Jira user groups and then edits it whenever necessary.

Problem: Creating a jira user group is a jira-administrator action. We do not want this user who is not part of 'jira-administrator' user group doing this.

How do I restrict this?

Also, he has an issue open since several years and he using this to run the script. Whenever there is a comment added to the issue, the scripts are triggers and they do a bunch of jira admin things mentioned in the xmls files. We want to restrict these scripts from performing any jira-admin tasks. 

1 answer

1 vote

You can't do this - the person you want to block must be an administrator, so anything you do to control it can be undone by them.  

There are two ways to run scripts - either by a trigger that runs it (post function, listener, email handler, using a scripted field, etc) or by running it in the console function in Scriptrunner.

Only admins can use the console function, and only administrators can configure the scripts that are run by triggers.

You've said the scripts are triggered by commenting on an issue.  So there's a swathe of ways you could stop this usage.  You could

  • Remove those triggers. 
  • Remove the permission for this person to comment on the issues in this project. 
  • Delete the issue.  
  • Remove/change the parts of the scripts that are doing unwanted things.

But, for this person to be writing scripts and adding them into Jira, they must have administrator access, so they can undo all of those things (not the delete, but they can easily set up a new issue for it)

So, take away their admin access before removing the triggers or changing the scripts.

Thank you Nic.

I went through everyone in the jira-admin and jira-nonsystem admin user group and this person isn't there as an admin.  How can I check which user is this script using to make this call?

Is there a specific groovy function that is used by script runner to authenticate?

ComponentAccessor.getCommentManager().create(issue, ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser(), updateResult.toString(), false)

 

I assumed that : Script runner allows any regular user to access Jira-administrator functions though scripts. Which worried me, hope its not true.

The component accessor in turn provides https://docs.atlassian.com/software/jira/docs/api/7.6.1/com/atlassian/jira/component/ComponentAccessor.html#getGroupManager

Which can add users to jira user groups. Do you think they can add users to jira-administrator user group? 

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events