How can I hide the workflow transition/operations from public users?

I have a page viewable by public on which there is a jiraissue macro. Since each issue is a link public users can follow this to view the issue in Jira. I was expected that they can only view the issue according to the permission schemes I have set but still the workflow transition is not only visible but the workflow operations such as the Edit button is enabled to them. This is obviously not acceptable.

Could anyone please let me know how to fix this?

2 answers

1 accepted

2 votes
Accepted answer

This is mostly down to permissions.

The first question is "are your users logging in?". If they are, then you need to chop down your permission schemes a bit to remove the abilitues they are getting via their user account (groups, roles, etc)

If not, then you've got "browse = anyone" in your permission scheme, which is fine because it allows anonymous read access, but you've probably used "anyone" in other permissions too - edit is one of them. Remove the "anyone" and cut it all down to logged-in known users.

The workflow transitions are a similar principle, but you need to look in a different place. Open up the workflow(s) and look at the transitions. You'll probably find that they have no *conditions* or they have *conditions* like "allow people with resolve permission". In the first case, you need to add a condition that will prevent non-logged in users from doing it - the most simple way to do that is simply whack in "user is in group jira-users", as that's the "can log in" group, but you might actually want to cut it down to something even more restrictive. In the second case, you could do the same as the first case, but also think about why they're getting those permissions.

By public users, I mean those who not logged in. I have only one permission scheme at this moment which is the default one and I have carefully look through all of them to see if any 'Anyone' slipping in but none found. The 'edit' is definitely not Anyone and that explains the 'Edit' button is correctly hidden from public users. However, the 'Edit' button of the workflow transition is enabled and I have learnt that I should set up permission parameters for the workflow steps (in Workflow page like you suggested) but is there any way to fix this instead of going through all the steps in all workflows which are active now and set up each individual parameters?

I have a lot of workflow at this moment and there is no permission parameter has been set and it seems like if no permission set for a step, it will be default as 'Anyone' resulting in the problem I have here. I found tht rather strange thing to be set as default in Jira. Please correct me if I'm wrong.

Many thanks, Nic!

No, you need to amend each transition - there's no other way, because there's no meta-permissions on workflows.

Then should there be meta-permissions in Jira regarding this? It will save me lots of time. Do you think this could be an improvement for Jira?

I think an overall "anonymous users can't do anything in this workflow" flag would be useful. But I don't think there's even a request open for any meta-permission type stuff, and I suspect it wouldn't be a simple change. I don't think it'll happen anytime soon.

I agree with Nic Brough. The default behavoir is quite unexpected and not well reasoned

I agree with Nic Brough. The default behavoir is quite unexpected and not well reasoned.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published 8 hours ago in Agile

How Scrum works? It starts with training and education

To answer “How scrum works,” most of the teams I've worked with first addressed the question: “where to start?”  That question applies to both implementation and improvements on the Scrum framew...

75 views 2 3
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you