Public vs None Security Level on JIRA issues?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Public vs None Security Level on JIRA issues?

Colvin Cowie
Hello,

Sorry if this has been raised before, I could find it.
I was looking at issues that I had reported on JIRA and I was surprised to see that the list of issues was different when I was logged in vs logged out, since none of the issues are confidential.


The JIRA help has this to say about security levels:

Security Levels

An issue has a security level which indicates which users are able to view the issue. The currently defined security levels are listed below. In addition, you can add more security levels in the administration section.

Private (Security Issue)
Private Issue viewable by the reporter and those in the project PMC Role
Public
Default Security Level. Issues are Public

Which to me would suggest that None and Public are the same thing, and that Public issues would be visible to people who are not signed into JIRA - which they are. Except they are not searchable.

For an issue marked as Public I can visit it directly if I have the issue number, but I cannot search for its text. As soon as I change the Security Level to None on an issue its text is searchable.

That doesn't seem right to me, but if it is working as intended, then maybe the help text could be updated?

Colvin
Reply | Threaded
Open this post in threaded view
|

Re: Public vs None Security Level on JIRA issues?

Cassandra Targett-2
Yes, this is a known issue with Jira and the use of security levels. Atlassian (the maker of Jira) has known about it for years and has not fixed it yet.


It basically boils down to the Jira query engine does not default to finding issues with either "none" (which is really NULL in Jira's database) or "public". If you don't define the security level field in your search, it only returns issues with no value (displayed as "none") in that field, which omits all the issues that do have a value in that field. It's dumb.

The only solution is to periodically bulk edit the "public" issues so they have security level "none". I do it from time to time when I have time and remember, but not sure if anyone else does.

Cassandra

On Thu, May 21, 2020 at 8:50 AM Colvin Cowie <[hidden email]> wrote:
Hello,

Sorry if this has been raised before, I could find it.
I was looking at issues that I had reported on JIRA and I was surprised to see that the list of issues was different when I was logged in vs logged out, since none of the issues are confidential.


The JIRA help has this to say about security levels:

Security Levels

An issue has a security level which indicates which users are able to view the issue. The currently defined security levels are listed below. In addition, you can add more security levels in the administration section.

Private (Security Issue)
Private Issue viewable by the reporter and those in the project PMC Role
Public
Default Security Level. Issues are Public

Which to me would suggest that None and Public are the same thing, and that Public issues would be visible to people who are not signed into JIRA - which they are. Except they are not searchable.

For an issue marked as Public I can visit it directly if I have the issue number, but I cannot search for its text. As soon as I change the Security Level to None on an issue its text is searchable.

That doesn't seem right to me, but if it is working as intended, then maybe the help text could be updated?

Colvin
Reply | Threaded
Open this post in threaded view
|

Re: Public vs None Security Level on JIRA issues?

david.w.smiley@gmail.com
Also, I proposed this being added to our release process as well so that it happens systemically, and so that issues referred to from any release are more easily reachable.
~ David


On Thu, May 21, 2020 at 10:38 AM Cassandra Targett <[hidden email]> wrote:
Yes, this is a known issue with Jira and the use of security levels. Atlassian (the maker of Jira) has known about it for years and has not fixed it yet.


It basically boils down to the Jira query engine does not default to finding issues with either "none" (which is really NULL in Jira's database) or "public". If you don't define the security level field in your search, it only returns issues with no value (displayed as "none") in that field, which omits all the issues that do have a value in that field. It's dumb.

The only solution is to periodically bulk edit the "public" issues so they have security level "none". I do it from time to time when I have time and remember, but not sure if anyone else does.

Cassandra

On Thu, May 21, 2020 at 8:50 AM Colvin Cowie <[hidden email]> wrote:
Hello,

Sorry if this has been raised before, I could find it.
I was looking at issues that I had reported on JIRA and I was surprised to see that the list of issues was different when I was logged in vs logged out, since none of the issues are confidential.


The JIRA help has this to say about security levels:

Security Levels

An issue has a security level which indicates which users are able to view the issue. The currently defined security levels are listed below. In addition, you can add more security levels in the administration section.

Private (Security Issue)
Private Issue viewable by the reporter and those in the project PMC Role
Public
Default Security Level. Issues are Public

Which to me would suggest that None and Public are the same thing, and that Public issues would be visible to people who are not signed into JIRA - which they are. Except they are not searchable.

For an issue marked as Public I can visit it directly if I have the issue number, but I cannot search for its text. As soon as I change the Security Level to None on an issue its text is searchable.

That doesn't seem right to me, but if it is working as intended, then maybe the help text could be updated?

Colvin
Reply | Threaded
Open this post in threaded view
|

Re: Public vs None Security Level on JIRA issues?

Mike Drob-3
This is already present as a step in releaseWizard.py - Release Checklist > (9) Tasks to do after release > (10) > Clear Security Level of Public Solr JIRA Issues

On Thu, May 21, 2020 at 9:49 AM David Smiley <[hidden email]> wrote:
Also, I proposed this being added to our release process as well so that it happens systemically, and so that issues referred to from any release are more easily reachable.
~ David


On Thu, May 21, 2020 at 10:38 AM Cassandra Targett <[hidden email]> wrote:
Yes, this is a known issue with Jira and the use of security levels. Atlassian (the maker of Jira) has known about it for years and has not fixed it yet.


It basically boils down to the Jira query engine does not default to finding issues with either "none" (which is really NULL in Jira's database) or "public". If you don't define the security level field in your search, it only returns issues with no value (displayed as "none") in that field, which omits all the issues that do have a value in that field. It's dumb.

The only solution is to periodically bulk edit the "public" issues so they have security level "none". I do it from time to time when I have time and remember, but not sure if anyone else does.

Cassandra

On Thu, May 21, 2020 at 8:50 AM Colvin Cowie <[hidden email]> wrote:
Hello,

Sorry if this has been raised before, I could find it.
I was looking at issues that I had reported on JIRA and I was surprised to see that the list of issues was different when I was logged in vs logged out, since none of the issues are confidential.


The JIRA help has this to say about security levels:

Security Levels

An issue has a security level which indicates which users are able to view the issue. The currently defined security levels are listed below. In addition, you can add more security levels in the administration section.

Private (Security Issue)
Private Issue viewable by the reporter and those in the project PMC Role
Public
Default Security Level. Issues are Public

Which to me would suggest that None and Public are the same thing, and that Public issues would be visible to people who are not signed into JIRA - which they are. Except they are not searchable.

For an issue marked as Public I can visit it directly if I have the issue number, but I cannot search for its text. As soon as I change the Security Level to None on an issue its text is searchable.

That doesn't seem right to me, but if it is working as intended, then maybe the help text could be updated?

Colvin
Reply | Threaded
Open this post in threaded view
|

Re: Public vs None Security Level on JIRA issues?

Cassandra Targett
I found hundreds of issues that had not been cleared the last time I did it a couple months ago, dating back months. Enough that I assumed it had not ever been added to any release instructions.

Either there is a discrepancy between releaseWizard.py and the wiki ReleaseToDo that's causing it to be skipped in some cases, or sometimes an RM is occasionally unable to complete all steps for whatever reason(s).

On Thu, May 21, 2020 at 9:52 AM Mike Drob <[hidden email]> wrote:
This is already present as a step in releaseWizard.py - Release Checklist > (9) Tasks to do after release > (10) > Clear Security Level of Public Solr JIRA Issues

On Thu, May 21, 2020 at 9:49 AM David Smiley <[hidden email]> wrote:
Also, I proposed this being added to our release process as well so that it happens systemically, and so that issues referred to from any release are more easily reachable.
~ David


On Thu, May 21, 2020 at 10:38 AM Cassandra Targett <[hidden email]> wrote:
Yes, this is a known issue with Jira and the use of security levels. Atlassian (the maker of Jira) has known about it for years and has not fixed it yet.


It basically boils down to the Jira query engine does not default to finding issues with either "none" (which is really NULL in Jira's database) or "public". If you don't define the security level field in your search, it only returns issues with no value (displayed as "none") in that field, which omits all the issues that do have a value in that field. It's dumb.

The only solution is to periodically bulk edit the "public" issues so they have security level "none". I do it from time to time when I have time and remember, but not sure if anyone else does.

Cassandra

On Thu, May 21, 2020 at 8:50 AM Colvin Cowie <[hidden email]> wrote:
Hello,

Sorry if this has been raised before, I could find it.
I was looking at issues that I had reported on JIRA and I was surprised to see that the list of issues was different when I was logged in vs logged out, since none of the issues are confidential.


The JIRA help has this to say about security levels:

Security Levels

An issue has a security level which indicates which users are able to view the issue. The currently defined security levels are listed below. In addition, you can add more security levels in the administration section.

Private (Security Issue)
Private Issue viewable by the reporter and those in the project PMC Role
Public
Default Security Level. Issues are Public

Which to me would suggest that None and Public are the same thing, and that Public issues would be visible to people who are not signed into JIRA - which they are. Except they are not searchable.

For an issue marked as Public I can visit it directly if I have the issue number, but I cannot search for its text. As soon as I change the Security Level to None on an issue its text is searchable.

That doesn't seem right to me, but if it is working as intended, then maybe the help text could be updated?

Colvin
Reply | Threaded
Open this post in threaded view
|

Re: Public vs None Security Level on JIRA issues?

Colvin Cowie
Ah well that is a bit unfortunate.

I don't suppose you could configure it to only have a Security Level option of Private or None with None as the default then?

On Thu, 21 May 2020 at 16:32, Cassandra Targett <[hidden email]> wrote:
I found hundreds of issues that had not been cleared the last time I did it a couple months ago, dating back months. Enough that I assumed it had not ever been added to any release instructions.

Either there is a discrepancy between releaseWizard.py and the wiki ReleaseToDo that's causing it to be skipped in some cases, or sometimes an RM is occasionally unable to complete all steps for whatever reason(s).

On Thu, May 21, 2020 at 9:52 AM Mike Drob <[hidden email]> wrote:
This is already present as a step in releaseWizard.py - Release Checklist > (9) Tasks to do after release > (10) > Clear Security Level of Public Solr JIRA Issues

On Thu, May 21, 2020 at 9:49 AM David Smiley <[hidden email]> wrote:
Also, I proposed this being added to our release process as well so that it happens systemically, and so that issues referred to from any release are more easily reachable.
~ David


On Thu, May 21, 2020 at 10:38 AM Cassandra Targett <[hidden email]> wrote:
Yes, this is a known issue with Jira and the use of security levels. Atlassian (the maker of Jira) has known about it for years and has not fixed it yet.


It basically boils down to the Jira query engine does not default to finding issues with either "none" (which is really NULL in Jira's database) or "public". If you don't define the security level field in your search, it only returns issues with no value (displayed as "none") in that field, which omits all the issues that do have a value in that field. It's dumb.

The only solution is to periodically bulk edit the "public" issues so they have security level "none". I do it from time to time when I have time and remember, but not sure if anyone else does.

Cassandra

On Thu, May 21, 2020 at 8:50 AM Colvin Cowie <[hidden email]> wrote:
Hello,

Sorry if this has been raised before, I could find it.
I was looking at issues that I had reported on JIRA and I was surprised to see that the list of issues was different when I was logged in vs logged out, since none of the issues are confidential.


The JIRA help has this to say about security levels:

Security Levels

An issue has a security level which indicates which users are able to view the issue. The currently defined security levels are listed below. In addition, you can add more security levels in the administration section.

Private (Security Issue)
Private Issue viewable by the reporter and those in the project PMC Role
Public
Default Security Level. Issues are Public

Which to me would suggest that None and Public are the same thing, and that Public issues would be visible to people who are not signed into JIRA - which they are. Except they are not searchable.

For an issue marked as Public I can visit it directly if I have the issue number, but I cannot search for its text. As soon as I change the Security Level to None on an issue its text is searchable.

That doesn't seem right to me, but if it is working as intended, then maybe the help text could be updated?

Colvin