Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Security with APP/plugins

My organisation is very interested in a number of APPs, one is called Bigpicture.  I have not been able to find a security overview as to how APPS function within JIRA and what the APP vendor can see within my JIRA cloud instance.  

For example, in our JIRA cloud test environment, I sign up to Bigpicture within JIRA via the APP menu option.  What screen determines what Bigpicture vendor can see of my existing JIRA projects?  I can not find a JIRA screen for configuring this, its a Bigpicture configuration screen.  I want Bigpicture to view project A but not project B.  The only screen I can see for allowing Bigpicture to view project A but not B is a Bigpicture configuration screen, so does that mean Bigpicture can see all projects A+ B by default ?   

It would feel safer if Atlassian managed the security access via an atlassian configuration screen rather than a Bigpicture plugin screen, or am I missing something.


1 answer

1 vote

Hi @andrew.edwards

BigPicture uses the Atlassian Connect App interface to communicate with Jira Cloud. Connect apps use JWT (JSON Web Tokens) for authentication. At installation time, the Connect app and BigPicture exchange a security context containing a shared secret used to create and validate JWT tokens for use in API calls. BigPicture operates on metadata, e.g. id’s

  • issue id
  • link id
  • project id, board id, filter id, and pieces of JQL used in Box scope definition
  • custom fields mapped to start date, end date, baseline start date, baseline end date, progress,task mode, milestone
  • assignee key/id, display name
  • user id, group id (it’s needed for permission
  • URL to platform, e.g.

Currently, the BigPicture plugin has access to all projects available for a given user.

Hi Anna, 

Thanks for your response.  Confirming their is known method of adjusting JIRA permission scheme to stop Bigpicture from accessing Beyond blue's Project B for example while allowing access to all other projects.  

Also can you help with other questions I have about?

What are Bigpicture backup frequency of Beyond Blue JIRA data.  Is it daily, Transaction tracking (so we can roll back to a specific point in time)

Does Bigpicture enterprise allow hosting of Beyond blue data at an Australian data centre ?

thanks again.


Like Anna-BigPicture likes this
Anna-BigPicture Marketplace Partner May 20, 2021

Hi @andrew.edwards

Please find my answers below:

  • Automatic backup is done before every release. However, with help of our Dev Team, we can roll back to a specific point in time.
  • Currently, we have hosting in the USA, but in the coming weeks will be also in Europe and Asia.

Regarding permissions, please note that if the scope owner does not have "browse project" permission for a given Jira Project, nobody using the Program will be able to view the tasks. You can easily verify that using Jira Permission Helper for the Scope Owner. 
image - 2021-05-20T122541.260.png

Suggest an answer

Log in or Sign up to answer
Site Admin

Atlassian Community Events