Thank you Elifcan for responding.

What would you suggest for the following?

Issue level security is configured by System Admins and that would let them from adding themselves to issues that are meant to be only seen by SAY an assignee and reporter.

how do we restrict SA from updating a level beyond the creation?

Since most times assignee/reporter are oblivious of administrative settings, how could they be aware of who else has access to the secure issue?

Thanks,

Ambica

Well, unfortunately you can't restrict a system admin from making any kind of changes on Jira. Even if you create project level permissions and make certain people project admin, a system admin can always change the security schemes, project membership and permissions. 

For your second question, if you set security levels understandable names such as marketing team, sales team, etc, assignee and reporter can see it on the issue itself and be aware of who as access to the issue like this:

Regards,

Elifcan

Can this be done programmatic from a listener who can listen to Security level update kind of event and revert any changes on the security level update?

Basically reverting any change to the security level and have only SAY the assignee and reporter only see their respective secure issues.

When do you set the issue security level? While creating the issue?

If it's the case I guess you can write a customized script that runs on issue updated event, that checks change history and if security level field is changed, you can get the old value and update it with it. But I'm not hundred percent sure this would work and also if it's the best solution. 

If what you need is, for the whole project, to only, say, assignee and reporter to see the issues, you can do it in the permission scheme, too with browse project permission. I couldn't fully understand what your business usage is.

The requirement:

We have qualified a few issues across projects as secure issues which needs to be seen only by the assignee and reporter of the issue.The projects' Security Scheme has a level created called "Secure" so that issues that are moved to that level have only assignee and reporter access.

However, since this configuration can only be done by a System Administrator(s), it is open to errors or vulnerabilities if the sys admins inadvertently add any additional users to this level. The assignee and reporter of the issues marked "Secure" wouldn't possibly be aware of more users being able to access their secure issue.

Whats the best way to revert or disable any change to the "Secure" level by Sys Admins whose only users can be assignee and reporter?

Any suggestions on this?

Thanks,

Ambica

Hello,

As I stated earlier, you can not restrict System Administrators from doing anything. Also assignee and reporter cannot see who has access to the issue, you are correct. But there is not a technical solution for your problem. You need to make only people who are reliable as System Administrators for your instance and tell them not to change "Secure" level.

I also checked Jira api and Jira rest api if you can edit Issue Security Schemes programatically but there is no way.  Even if there is, this would not be an ideal solution.

I'm sorry I couldn't be much help but this is the case for System Administrators. 

Regards,

Elifcan