Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Application links - least privilege?

Marcus Scholle September 2, 2018

Hey together,

I'm in the process of migrating my installation setup to a different server.
This consists of JIRA, Confluence, Bitbucket and Crowd for Authentication.
I'm now in the process of creating Application links for the first three. To facilitate that process, I created a "System-Superuser" that has administrative privileges on JIRA, Confluence and Bitbucket. During the link creation, I'm therefore checking "I'm Administrator on both servers" to get the reciprocal behaviour.
However, to implement least privilege, I would like to restrict an account with "System Admin" privileges to one application before going into production (for example only one user with the group "jira-administrators" who doesn't even has user access to Bitbucket).

So, my question is: For application links, is it necessary to leave the account the link was created with? Once the link is established, is it necessary to have a user that is system administrator on BOTH sides (for example JIRA and Confluence) at the same time?

Greetings Marcus

1 answer

0 votes
miikhy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 3, 2018

Hi Marcus,

Glad to read security concerns and your questions is clearly making sense. I’m not 100% sure but I think Applinks are regularly checked in the background through the user they use, therefore might not be possible to remove it.

Best idead I had for this problem (you might found better ones!), was to use my local admin account for this purpose. This account is essential in case external directories are failing so, anyway it would be there!

I wish I could be of more help!

Cheers

Marcus Scholle September 3, 2018

Hey there Micky,

first thanks a lot for your answer!

First, you're of course right that AppLinks are checked in the background, however I should probably have noted in my OP that I've also integrated the whole setup to use SSL, Apache with a Reverse Proxy and SSO with Crowd.

So, I can't really use an internal directory, I've to use the one from Crowd.

However, after thinking about it, I don't think that removing my "Super-Superadmin" from Crowd later causes an issue with the Application links as long as there's (at least) one user defined in jira/confluence-administrators.

The reason I'm saying this (and why I'm not stating Bitbucket there) is that for Bitbucket I was able to "initialise" the application link for JIRA<>Bitbucket (and also Confluence<>Bitbucket). However, once the reciprocal in Bitbucket was to be done, I got an error message like the following picture.

04_JIRA-Application-Links-Bitbucket-Reciprocal-BB-Side-Warning.png

But as stated, signing in with my INTERNAL superadmin on Bitbucket (idk why this separation is apparently not possible on the other applications) and manually fixing the mismatch for the authentication methods worked just fine.

This leads me to assume that after that initial definition the application link is not tied to any specific user. Aside from that, it would basically be impossible to know that you should not delete "Sysadmin No3" because he created the link a year ago.

As I was now able to change my Crowd server to use an unprivileged user, I'll get to test that most likely tomorrow. Will report back about results here.

Reference link for Crowd because I mentioned it: https://confluence.atlassian.com/crowd/setting-crowd-to-run-automatically-and-use-an-unprivileged-system-user-on-unix-211649189.html

(made some adjustments to it, but generally the description is ok)

Suggest an answer

Log in or Sign up to answer