Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Application links - least privilege?

Marcus Scholle
Marcus Scholle September 2, 2018

Hey together,

I'm in the process of migrating my installation setup to a different server.
This consists of JIRA, Confluence, Bitbucket and Crowd for Authentication.
I'm now in the process of creating Application links for the first three. To facilitate that process, I created a "System-Superuser" that has administrative privileges on JIRA, Confluence and Bitbucket. During the link creation, I'm therefore checking "I'm Administrator on both servers" to get the reciprocal behaviour.
However, to implement least privilege, I would like to restrict an account with "System Admin" privileges to one application before going into production (for example only one user with the group "jira-administrators" who doesn't even has user access to Bitbucket).

So, my question is: For application links, is it necessary to leave the account the link was created with? Once the link is established, is it necessary to have a user that is system administrator on BOTH sides (for example JIRA and Confluence) at the same time?

Greetings Marcus

Answer
Watch
Like Be the first to like this
521 views

1 answer

0 votes
miikhy
miikhy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 3, 2018

Hi Marcus,

Glad to read security concerns and your questions is clearly making sense. I’m not 100% sure but I think Applinks are regularly checked in the background through the user they use, therefore might not be possible to remove it.

Best idead I had for this problem (you might found better ones!), was to use my local admin account for this purpose. This account is essential in case external directories are failing so, anyway it would be there!

I wish I could be of more help!

Cheers

View More Comments
Marcus Scholle
Marcus Scholle September 3, 2018

Hey there Micky,

first thanks a lot for your answer!

First, you're of course right that AppLinks are checked in the background, however I should probably have noted in my OP that I've also integrated the whole setup to use SSL, Apache with a Reverse Proxy and SSO with Crowd.

So, I can't really use an internal directory, I've to use the one from Crowd.

However, after thinking about it, I don't think that removing my "Super-Superadmin" from Crowd later causes an issue with the Application links as long as there's (at least) one user defined in jira/confluence-administrators.

The reason I'm saying this (and why I'm not stating Bitbucket there) is that for Bitbucket I was able to "initialise" the application link for JIRA<>Bitbucket (and also Confluence<>Bitbucket). However, once the reciprocal in Bitbucket was to be done, I got an error message like the following picture.

04_JIRA-Application-Links-Bitbucket-Reciprocal-BB-Side-Warning.png

But as stated, signing in with my INTERNAL superadmin on Bitbucket (idk why this separation is apparently not possible on the other applications) and manually fixing the mismatch for the authentication methods worked just fine.

This leads me to assume that after that initial definition the application link is not tied to any specific user. Aside from that, it would basically be impossible to know that you should not delete "Sysadmin No3" because he created the link a year ago.

As I was now able to change my Crowd server to use an unprivileged user, I'll get to test that most likely tomorrow. Will report back about results here.

Reference link for Crowd because I mentioned it: https://confluence.atlassian.com/crowd/setting-crowd-to-run-automatically-and-use-an-unprivileged-system-user-on-unix-211649189.html

(made some adjustments to it, but generally the description is ok)

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.