Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How to realise a classified project in Jira?

Fabian
Fabian May 22, 2018

Hi all,

we have a project / helpdesk (self hosted) that is handling "secret" information. Therefore we want to eliminate the possibility for jira-admins to give themselves access to this specific project.

Only users with proper clearance should have access to that project.

According to Atlassian it is not possible (atm) to restrict jira-admins from accessing projects they should have no access to.

We already thought about to host a second jira instance with own permission scheme (with only one jira-admin that has the clearance) but that seems to be quite complicated, as we need the user-base of the existing instance.

 

Does anyone have a suggestion how we could do that?

 

Any help is much appreciated!

 

Best,

Fabian

 

Answer
Watch
Like Be the first to like this
998 views

4 answers

0 votes
Fabian
Fabian May 22, 2018

Thanks for the feedback so far, I think in our current environment this is not possible.

@Nic Brough -Adaptavist-do you think we could host a second jira instance with only that project, to which we assign one trusted admin?

The only thing would be could we establish a connection between both instances so that existing users could create tickets there?

View More Comments
Bastian Stehmann
Bastian Stehmann
Community Champion
May 22, 2018

You can use your existing Jira as User Database. That way all exisiting users can log in (if you give them application access. 

You can set permissions, so that the users are able to create new issues in that project, but do not have any other permission.


But you should have in mind, that you will need a second Jira license for all that users...

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 22, 2018

Yes, if you have trust issues with your administrators, your only option is another Jira. 

Especially if a user has any access to the database - that renders all your permissions and schemes completely worthless, as they'll be able to see anything they want.

I tend to agree with @Bastian Stehmann on the thing about trust.  If I didn't trust an admin not to look at (or at least ignore) stuff the non-admins have restricted, then I'm not sure I'd trust them with any admin access either.

But I know you can't always do that.  So, yes, a separate Jira might do it. 

Like
Reply
0 votes
Monika Danielsson
Monika Danielsson
Contributor
May 22, 2018

Hi,

The Jira administrators can always give themselves access to projects, by adding themselves to a role with enough privileges. However, sometimes it's enough that these things are logged (and the people in question are aware of that). I don't know if that's ok in your case?

If you make sure these people cannot tamper with the Audit log data (make sure they cannot access the database, for example),  then you could depend on security levels, permissions, and all that, to keep them out of the data.

View More Comments
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 22, 2018

An admin can always bypass all of this (without database access.  You should never give anyone any database access, it's almost always the wrong answer)

Admins can change security schemes, let themselves into the various levels and turn off the audit log if they want.

You have to trust the admins.

Like
Fabian
Fabian May 22, 2018

Hi @Monika Danielsson,

you are right, that is an option we have thought of.

Unfortunately some of the jira-admins have also access to the underlying database, which makes this even more complicated.

Therefore we are thinking about a second isolated jira instance.

Like
Reply
0 votes
Yogesh Mude
Yogesh Mude
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 22, 2018

Hi @Fabian,

Why should you not think about issue security level?

Issue security schemes and let you control which user or group of users can view an issue. When an issue security scheme is associated with a project, its security levels can be applied to issues in that project.

View More Comments
Fabian
Fabian May 22, 2018

Hi @Yogesh Mude,

 

thanks for the hint!

Do you know if jira-admins can change the issue security scheme? We really want to make sure that they can't grant themselves access to issues in this project.

Like
Reply
0 votes
Bastian Stehmann
Bastian Stehmann
Community Champion
May 22, 2018

Hi @Fabian,

 

welcome to this community.

It is right, that a admin always can access all projects (he will have to to do his work). But you can use issue security to set security levels on that issues. If you do not add the Admins to the security levels, they won't be able to see the issues, although they can access the project.

View More Comments
Fabian
Fabian May 22, 2018

Hi @Bastian Stehmann,

 

thanks for the quick reply!

I'll look into that in our test environment.

I'm just curious, can admins not add themselves to one of the security levels and get to see the issues again?

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
May 22, 2018

Yes, they can.  You have to be able to trust that they won't (or don't care about the secrets)

Like
Bastian Stehmann
Bastian Stehmann
Community Champion
May 22, 2018

Nic is right, they can change it. But if you fear, that your Admins will change the scheme to get access, get that secret data and then change it back so that it is not obvious that they did, you should maybe think of the kind of people that are administering your system. 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security