My organisation is very interested in a number of APPs, one is called Bigpicture. I have not been able to find a security overview as to how APPS function within JIRA and what the APP vendor can see within my JIRA cloud instance.
For example, in our JIRA cloud test environment, I sign up to Bigpicture within JIRA via the APP menu option. What screen determines what Bigpicture vendor can see of my existing JIRA projects? I can not find a JIRA screen for configuring this, its a Bigpicture configuration screen. I want Bigpicture to view project A but not project B. The only screen I can see for allowing Bigpicture to view project A but not B is a Bigpicture configuration screen, so does that mean Bigpicture can see all projects A+ B by default ?
It would feel safer if Atlassian managed the security access via an atlassian configuration screen rather than a Bigpicture plugin screen, or am I missing something.
BigPicture uses the Atlassian Connect App interface to communicate with Jira Cloud. Connect apps use JWT (JSON Web Tokens) for authentication. At installation time, the Connect app and BigPicture exchange a security context containing a shared secret used to create and validate JWT tokens for use in API calls. BigPicture operates on metadata, e.g. id’s
Currently, the BigPicture plugin has access to all projects available for a given user.
Thanks for your response. Confirming their is known method of adjusting JIRA permission scheme to stop Bigpicture from accessing Beyond blue's Project B for example while allowing access to all other projects.
Also can you help with other questions I have about?
What are Bigpicture backup frequency of Beyond Blue JIRA data. Is it daily, Transaction tracking (so we can roll back to a specific point in time)
Does Bigpicture enterprise allow hosting of Beyond blue data at an Australian data centre ?
Please find my answers below:
Regarding permissions, please note that if the scope owner does not have "browse project" permission for a given Jira Project, nobody using the Program will be able to view the tasks. You can easily verify that using Jira Permission Helper for the Scope Owner.