JIRA Forms security
I'm testing forms functionality because seems to be more clearly to use when user complete the fields. The setup issues is for the request for vacations workflow, that i made with custom fields and automations.
But i'm worried about. I share the form by email link for a person that not have access to JIRA and let me entry to form, complete information and create the issue. Project is restricted to some users and forms is restricted to LImited, but let me share by email to person without access to JIRA and are not in project?
Its a security fail? Could yo confirm this functionality?
Thanks
Alejandra
2 answers
Hi Trudy. Atlassian addon project assets role has permissions to create issues in our Scheme Permissions
This is important because in our model, we need to create issues manually in one project (vacations), and when its created, clone the issue in another project (calendar). So we have severals automations in that project and i understand for automation is neccesary assign atlassian-addons-project-access. But no users are assigned to that role
In our Permission Scheme, grant operations to role Ingreso de Ausencias, Aprobador Nivel1, and Aprobador Nivel 2, then in project assign persons to a that role.
Moreover, when I sent form by mail, put a person that not becomes to JIRA, user is not in JIRA., not defined, not assigned to project.
Hello @Alejandra Martin
Do I understand correctly that you:
1. Created a Form.
2. Set the Form access to Limited.
3. Got a Link for the form.
4. Gave that link to another person who does not have a Jira License.
5. That user was able to access the form with that link, complete the form, and submit the form without error.
6. An item was created in the Jira project from that form?
What type of project does this concern? Get that information from the Type column on the Projects page. You can reference that page through Projects > More Projects > View All Projects. Example:
Based on the project Type I will have additional questions about the specific permissions configuration for your project.
Hi Trudy!!! Me again with questions. I make the steps you describe above. The project is Company-managed-business. Thanks for your help!
Thank you for that additional information Alejandra.
I have not been able to recreate your problem working with a Company Managed Business project and a Form set to Limited access.
The next thing we should examine is the Permissions for the project.
Go to Project Settings > Permissions. Please share with us the settings for the Create Issue permission. Example:
The project role "atlassian-addons-project-access" is used only by apps and the role membership cannot be modified. So then you would need to look at all the other users, groups, roles, etc. granted that permission and confirm that the user is not a member of any of them.
You should also double check in https://admin.atlassian.com, looking up the user to see if they have any access to your site or your products.
I used the same configuration as above and provided the URL to other users who have Atlassian Cloud accounts and have access to other Atlassian Jira Cloud instances. In all tests the users received a message that they did not have access to my Site and needed to request access.
I also provide the URL to a user that has access to my Jira instance but does not have the Create Issue permission in the target project. In that case the user got the message "You don't have access to this form".
Thank you for sharing the image from your project Permissions Scheme.
I recommend that you double check the memberships of those roles in your project to make sure the user is not assigned to one of those roles. Perhaps a User Group has been added to one of the roles, and the user is a member of the group.
You can also ask the user to attempt to access your Jira site separately from the form by accessing the URL https://yourBaseURL/jira
If the user does not get a message about not having access, then somewhere in your Atlassian Cloud Organization administration you have a setting that is allowing them access.
If the user is successful in access your Jira instance with the the general URL, have them click on their avatar in the upper right corner and provide you with the information that appears there. Example:
Check the email address they provide against the email addresses of the users that have been assigned to the role. Look for that email address in you User list in the admin site. It is possible that they are using an identity cached in their browser rather than the one you think they are using, and that other identity might have access to your instance.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.