In Atlassian Jira, filters and dashboards can be shared publicly by users. This is fantastic, useful feature when collaborating in a public and open community. It can become a critical feature when publicly accessible filters and dashboards are shared with people who shouldn't have access - where sensitive information is visible on the internet.
By default, all Jira users have permissions that allow them to share the filters and dashboards. This can represent a data security risk for Jira when administrators want to secure their instance. Here are a few tips to make sure your Jira instance is and remains secure.
Configuration stumbling blocks
There are many use cases in daily workflows where it makes sense to use shared Jira filters. But, it is important that all users are aware that setting Public in the sharing settings really means public, available to anyone on the internet. In Jira Server versions 7.2.2 and earlier, this setting was called 'Everyone' and was commonly misunderstood to mean all users within the Jira instance.
Our many years of Jira consulting experience has shown us that in many large instances, a significant number of filters have been publicly shared by the company's Jira users. The issues themselves and the information they contain remain secure, but an internet user can see the filter queries, the filter names with descriptions and the filter owners with names and user names. You can even find such information indexed by search engines. The filter query itself can include details about users, project names, project status and other information.
To get an idea of what information and which filters are publicly shared from your system, without being logged in, enter the name of your instance followed by the popular filters list: yourJiraInstanceURL/secure/ManageFilters.jspa?filterView=popular
Dashboards work similarly. To see which dashboards have been shared publicly, look at the list of favorite dashboards in your instance, without being logged in: yourJiraInstanceURL/secure/ConfigurePortalPages!default.jspa?view=popular
Less information about your Jira instance is visible via the publicly shared dashboards: dashboard names and descriptions, as well as the names and usernames of those users who created them.
Alternatively, click Dashboards > Manage Dashboards or Issues > Manage Filters, and look at the list of filters and dashboards that have been shared with "Anyone" to get overview of what information is available publicly.
Protect sensitive data
The first step Atlassian has taken to increase security has been to change "Everyone" to the much clearer term "Public" and to display an explicit warning to a user when they share a filter or a dashboard. This has been implemented since Jira Server version 7.2.2.
Since Jira version 7.2.2, administrators could disable sharing with the public. We recommend this approach if you do not intend to knowingly share your filters and dashboards with people outside your organization. Set Public sharing to OFF via the Jira administration area > System > General configuration > Edit settings.
Note: Changing this setting does not limit sharing on filters and dashboards that have already been publicly shared.
In earlier versions of Jira, there are two ways of securing your instance.
- Stop all teams from creating shared filters and dashboards in general (Jira administration area > System > Global permissions). But this will most likely hamper effective teamwork.
- Alternatively, train all users to be aware that "Everyone" doesn't just mean "Jira users that are logged in", but any person that has the URL of the Jira instance, from anywhere on the web. From version 7.2.2 onwards, this setting is called "Public" and an additional setting for "All logged-in users" is available.
Restrict publicly shared Jira filters and dashboards
Of course, changing the configuration doesn't change those filters and dashboards that have already been shared with the public. When there are only a few 'public' filters and dashboards to secure, it's not a problem to manually change their permissions.
- Ask your users to do this themselves: Issues > Manage filters > My.
- As an administrator, individually update all filters:
- Change the ownership of the filter to yourself (admin). Search for the filters in the Jira administration area under System > Shared filters and then enter your own username after clicking on the gear icon > Change owner (remember the previous owner so you can change it back).
- Open the filter (via Issues > Manage filters > My). View each filters Details then click on Edit Permissions; change the sharing permissions from "Public" to "All logged-in users".
- Then set the filter owner back to the original user. Search for the filter in the Jira administration area under System > Shared filters and then enter the original owner's username after clicking on the gear icon > Change owner.
If you have a large number of shared filters and dashboards, Atlassian offers a workaround to directly edit the database (your Jira instance must be taken offline while this workaround is applied). Atlassian's instructions for this workaround.
If you are not sure if public filters and dashboards are set up in your system, we recommend you perform a security audit, especially if you are using an older Jira version (Jira Server 7.2.2 and older):
- If your organization does not specifically require filters and dashboards to be shared publicly, turn this feature off: Jira administration area > System > General configuration > Edit settings.
- Check to see if there are any filters that can be seen by people who are not logged into your Jira instance: yourJiraInstanceURL/secure/ManageFilters.jspa?filterView=popular
- Check to see if there are any filters that can be seen by people who are not logged into your Jira instance: yourJiraInstanceURL/secure/ConfigurePortalPages!default.jspa?view=popular
Note: The System dashboard is always publicly accessible.
- When no filters are visible at the link above, and when only the System dashboard is visible, then your filter and dashboard configuration in Jira is secure.
An experienced partner for Atlassian Jira
Do you have any questions about Atlassian Jira? //SEIBERT/MEDIA is an Atlassian Platinum Solution Partner with years of experience in everything Jira, from planning to implementation and the productive use of the various types of Jira deployments. We would be pleased to support you with strategic advice, licensing, implementation support, optimization and choose apps - anything you need for your ideal Jira system. Contact us today!
Is Jira trapped in your IT and development teams?
Atlassian Data Center vs. Server: When is it worth purchasing Data Center products?
Jira workflows: Convert tasks into systematic and transparent procedures