Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira script runner - is being used to create jira user groups. Would want to restrict that.

Divya TV
Divya TV February 25, 2022

We have Jira 8.13.12 and Adaptivist script runner 6.36.0.

A user  has written a groovy scripts which creates Jira user groups and then edits it whenever necessary.

Problem: Creating a jira user group is a jira-administrator action. We do not want this user who is not part of 'jira-administrator' user group doing this.

How do I restrict this?

Also, he has an issue open since several years and he using this to run the script. Whenever there is a comment added to the issue, the scripts are triggers and they do a bunch of jira admin things mentioned in the xmls files. We want to restrict these scripts from performing any jira-admin tasks. 

Answer
Watch
Like Be the first to like this
287 views

1 answer

1 vote
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
February 25, 2022

You can't do this - the person you want to block must be an administrator, so anything you do to control it can be undone by them.  

There are two ways to run scripts - either by a trigger that runs it (post function, listener, email handler, using a scripted field, etc) or by running it in the console function in Scriptrunner.

Only admins can use the console function, and only administrators can configure the scripts that are run by triggers.

You've said the scripts are triggered by commenting on an issue.  So there's a swathe of ways you could stop this usage.  You could

  • Remove those triggers. 
  • Remove the permission for this person to comment on the issues in this project. 
  • Delete the issue.  
  • Remove/change the parts of the scripts that are doing unwanted things.

But, for this person to be writing scripts and adding them into Jira, they must have administrator access, so they can undo all of those things (not the delete, but they can easily set up a new issue for it)

So, take away their admin access before removing the triggers or changing the scripts.

View More Comments
Divya TV
Divya TV February 28, 2022

Thank you Nic.

I went through everyone in the jira-admin and jira-nonsystem admin user group and this person isn't there as an admin.  How can I check which user is this script using to make this call?

Is there a specific groovy function that is used by script runner to authenticate?

ComponentAccessor.getCommentManager().create(issue, ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser(), updateResult.toString(), false)

 

I assumed that : Script runner allows any regular user to access Jira-administrator functions though scripts. Which worried me, hope its not true.

Like
Divya TV
Divya TV February 28, 2022

The component accessor in turn provides https://docs.atlassian.com/software/jira/docs/api/7.6.1/com/atlassian/jira/component/ComponentAccessor.html#getGroupManager

Which can add users to jira user groups. Do you think they can add users to jira-administrator user group? 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Product apps
Apps & Integrations
TAGS
AUG Leaders

Atlassian Community Events

    See all events