I’m from an Atlassian Partner I was recommended by Atlassian support to raise a topic here and discuss this issue.
Note that this subject prevents one of our largest customers from approving almost any app in the cloud. This is a real barrier to migrating our large customers to the cloud.
Our customer is concerned that apps have “permission scopes” and that they might abuse those permissions (or get compromised by an attacker that will abuse them) and will use the scope to get/update data or change Jira configuration (e.g. changing a permission scheme).
We talked with some App vendors and they told us that they ask for various permission scopes only for the installation, they don’t need it for the ongoing operation of the App.
However, even if they don’t need the declared scope, they still have it. and it can be compromised.
The need is to control dynamically the approved scopes of each app separately. Even if the app gets some initial scope during installation, the customer wants control over that, and would like to have the possibility to remove permission scope from an app after installation is completed.
For example: remove app permission scope to update Jira issues, remove app permission scope to administer Jira, etc.
That’s why we were very intrigued by the new feature announced in the roadmap recently:
App data access controls: Restrict app access to specific Atlassian instances, Confluence Spaces, or Jira Projects. (targeted for 2024 Q1).
This was an especially good announcement for us, since we noticed the following bug in the backlog: JRACLOUD-81601
We also noticed this announcement about the deprecation of the ability to control App permissions in the permission scheme using the “Atalssian-addons-project-access” role.
(see notice from 11 Aug on https://developer.atlassian.com/cloud/jira/platform/changelog/)
Initially we thought to use the “Atalssian-addons-project-access” role in the permission scheme in order to control app permissions. Per the above bug and deprecation notice, we cannot really use that approach. (and even if we do, it’s not specific for each app. It’s one role for all the apps). so the new feature planned for Q1 2024 might save us, or not…
The question for the community: what do you think should be the functionality of above new feature? Do you agree that allowing the Jira admins to change the permission scopes of each app (after installation) is a good idea that can help increase the infosec level and reduce infosec risks?