Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Structure - Permission user list not multi-tenancy aware

Matthias Kannenberg
Matthias Kannenberg April 27, 2020

I'm currently trying to set up a Jira Server installation for multiple clients and while reviewing/probing the Structure plugin it worked surprisingly well initially.

But what I found was that if a user creates a structure and then goes to Configure > Permissions > User he has access to the full user list of the installation.

While all other userlists (like assignee lists or "@" lists in normal Jira are aware of the current project context and the rest of Structure seems to be aware of issue accessibility of both the current user as well as the structure creator, the permission user list simply exposes all users of the installation, which is an issue especially for us since we use mail addresses as usernames and these get exposed as well, with the mail domain essentially exposing our client list.

I understand that this is an edge case and quite hard to fix, but in my opinion there should be an additional check where only users are shown that share a project with the owner of the structure. Group sharing unfortunately does not work since everybody will share the jira-software-users group for general Jira access.

Answer
Watch
Like Be the first to like this
451 views

1 answer

0 votes
Egor Tasa [ALM Works]
Egor Tasa [ALM Works]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 27, 2020

Thank you for highlighting this Matthias,

This is indeed an oversight. Let me record it in our internal system. I will let you know when the problem is fixed.

Regards,
Egor Tasa

ALM Works

View More Comments
Matthias Kannenberg
Matthias Kannenberg April 29, 2020

Does it help you internally if I open an official Atlassian support ticket for this or is this post enough?

Like
Egor Tasa [ALM Works]
Egor Tasa [ALM Works]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 30, 2020

Hi Matthias,

I don't think Atlassian can help us here. I must note that there is a solution to the problem in general - you can restrict Browse Users permission from Global Settings. This will make users without this permission being unable to list any users (I must note that in some cases Jira does not seem to follow this setting, especially with the assignee field, but this is a different thing). However, solving the issue for the specific scenario will require quite a bit of design effort, as users that can set permissions in a structure are not acting within any context, project, or even structure yet (as people can assign permissions when the structure is still empty). I cannot promise solution to this problem (apart from Browse User setting) any time soon, but I will let you know if such a solution is found and implemented.

Regards,
Egor

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.