Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Security with APP/plugins

andrew.edwards
andrew.edwards May 10, 2021

My organisation is very interested in a number of APPs, one is called Bigpicture.  I have not been able to find a security overview as to how APPS function within JIRA and what the APP vendor can see within my JIRA cloud instance.  

For example, in our JIRA cloud test environment, I sign up to Bigpicture within JIRA via the APP menu option.  What screen determines what Bigpicture vendor can see of my existing JIRA projects?  I can not find a JIRA screen for configuring this, its a Bigpicture configuration screen.  I want Bigpicture to view project A but not project B.  The only screen I can see for allowing Bigpicture to view project A but not B is a Bigpicture configuration screen, so does that mean Bigpicture can see all projects A+ B by default ?   

It would feel safer if Atlassian managed the security access via an atlassian configuration screen rather than a Bigpicture plugin screen, or am I missing something.

 

Answer
Watch
Like Anna-BigPicture likes this
403 views

1 answer

1 vote
Anna-BigPicture
Anna-BigPicture
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
May 17, 2021

Hi @andrew.edwards

BigPicture uses the Atlassian Connect App interface to communicate with Jira Cloud. Connect apps use JWT (JSON Web Tokens) for authentication. At installation time, the Connect app and BigPicture exchange a security context containing a shared secret used to create and validate JWT tokens for use in API calls. BigPicture operates on metadata, e.g. id’s

  • issue id
  • link id
  • project id, board id, filter id, and pieces of JQL used in Box scope definition
  • custom fields mapped to start date, end date, baseline start date, baseline end date, progress,task mode, milestone
  • assignee key/id, display name
  • user id, group id (it’s needed for permission
  • URL to platform, e.g. https://yourname.atlassian.com

Currently, the BigPicture plugin has access to all projects available for a given user.

View More Comments
andrew.edwards
andrew.edwards May 17, 2021

Hi Anna, 

Thanks for your response.  Confirming their is known method of adjusting JIRA permission scheme to stop Bigpicture from accessing Beyond blue's Project B for example while allowing access to all other projects.  

Also can you help with other questions I have about?

What are Bigpicture backup frequency of Beyond Blue JIRA data.  Is it daily, Transaction tracking (so we can roll back to a specific point in time)

Does Bigpicture enterprise allow hosting of Beyond blue data at an Australian data centre ?

thanks again.

Andrew

Like Anna-BigPicture likes this
Anna-BigPicture
Anna-BigPicture
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
May 20, 2021

Hi @andrew.edwards

Please find my answers below:

  • Automatic backup is done before every release. However, with help of our Dev Team, we can roll back to a specific point in time.
  • Currently, we have hosting in the USA, but in the coming weeks will be also in Europe and Asia.

Regarding permissions, please note that if the scope owner does not have "browse project" permission for a given Jira Project, nobody using the Program will be able to view the tasks. You can easily verify that using Jira Permission Helper for the Scope Owner. 
image - 2021-05-20T122541.260.png

Like
Jeret Shuck
Jeret Shuck September 28, 2023

Just wanted to add a thanks for this blerb from @Anna-BigPicture !

 

Regarding permissions, please note that if the scope owner does not have "browse project" permission for a given Jira Project, nobody using the Program will be able to view the tasks. You can easily verify that using Jira Permission Helper for the Scope Owner.

 

I've spent the last hour digging through documentation to try and figure out why a scope couldn't add a specific project. Fantastic call out here. This should be called out on the scope definitions somewhere.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Product apps
Apps & Integrations
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
FREE
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events