Jira projects limit access to Github organization

[Jetaldesai]

Currently any Jira project can see all Github Repo and there is now way to limit view or access specific organization per Jira projects. This is huge security and compliance gap. This capability is good for public projects but not suitable for organizations

[mboudreau]

This isn't a compliance gap as it's within the current model of both Github and Jira since any users to your Github org can still see most if not all repos unless you're completely locking down your Github org and adding individuals users to each repo. Not all "Jira Project can see all Github Repo" - It's a one way ingestion of data from Github to Jira. If a Github PR has a ticket id in it, we will add that link to the Github PR in the ticket. If the user doesn't have access to the project or the github repo, they can't see any data. If the user has access to the Jira ticket but not the Github repo, they can see the PR name, who approved it and a few other high level data points, but never code unless they have direct access to that github repo as a user.

If you are greatly concerned about security in this regard, I would suggest that you break up your Github org into multiple orgs as some of our enterprise customers have done to have complete separation of access. We cannot enforce better separation than that as we are limited by the Github app and Jira app model.

Please close the ticket if this answers your question. Thanks!

[Jetaldesai]

We have multiple Github Org but there is no way to limit or configure Jira projects with Organization. Based on the model it looks like you need to have multiple Jira instances to integrated with different Github org.

Example:

Test ABC Jira project --> Github Org A Test XYZ Jira project --> Github Org B Test AZX Jira project --> Github Org B

Thanks

[Abbott Logo] Jetalkumar Desai Sr. Manager Tool Chain Digital Technology Services Business and Technology Services Abbott 100 Abbott Park Road Abbott Park 60064 USA O: +1 224-668-1673 M: 8472178910 @.**@.>

This communication may contain information that is proprietary, confidential, or exempt from disclosure. If you are not the intended recipient, please note that any other dissemination, distribution, use or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately by telephone or by return e-mail and delete it from his or her computer.

From: Michel Boudreau @.> Sent: Wednesday, June 1, 2022 10:06 PM To: atlassian/github-for-jira @.> Cc: Desai, Jetalkumar @.>; Author @.> Subject: Re: [atlassian/github-for-jira] Jira projects limit access to Github organization (Issue #1233)

EXTERNAL EMAIL: Only click links or open attachments if you recognize the sender and know the content is safe.

This isn't a compliance gap as it's within the current model of both Github and Jira since any users to your Github org can still see most if not all repos unless you're completely locking down your Github org and adding individuals users to each repo. Not all "Jira Project can see all Github Repo" - It's a one way ingestion of data from Github to Jira. If a Github PR has a ticket id in it, we will add that link to the Github PR in the ticket. If the user doesn't have access to the project or the github repo, they can't see any data. If the user has access to the Jira ticket but not the Github repo, they can see the PR name, who approved it and a few other high level data points, but never code unless they have direct access to that github repo as a user.

If you are greatly concerned about security in this regard, I would suggest that you break up your Github org into multiple orgs as some of our enterprise customers have done to have complete separation of access. We cannot enforce better separation than that as we are limited by the Github app and Jira app model.

Please close the ticket if this answers your question. Thanks!

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/atlassian/github-for-jira/issues/1233*issuecomment-1144383392__;Iw!!BBM_p3AAtQ!JARP5F-T9CcqFbIMVH55Ag82-OOH_Wt0lt1oCW4e629ihci9hypHVfUkWh848rb3ZpgIHnHUWbG68uoo1hJi41W561SPYA$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/AQNL7OJYBS4D36N2MBCXUWDVNAQH5ANCNFSM5XTJXG7A__;!!BBM_p3AAtQ!JARP5F-T9CcqFbIMVH55Ag82-OOH_Wt0lt1oCW4e629ihci9hypHVfUkWh848rb3ZpgIHnHUWbG68uoo1hJi41VQDjtJfA$. You are receiving this because you authored the thread.Message ID: @.***>

[mboudreau]

For the moment, we do not do project filtering per org/repo. This may be in the cards in the future once we setup more possible configurations. For now though, it's all based on the project key and how your developers associate them in Github.

[lucianmq]

this really seems like a big gap in the permissions model

[supdann]

Any updates on this regard? As @Jetaldesai mentioned, 'This is a huge security and compliance gap.'

@mboudreau please correct me if I'm wrong. But what you say is not correct. Currently, it is possible for anyone in our Jira organization to list all existing repos on our Github Organization (even those to which they shouldn't have access with their Github Accounts). Whenever someone from any project wants to create a branch for a ticket, they are able to create a branch for any repository in our organization.

It's not an alternative for us to restrict the repository access on the Github settings (for Jira), since we want multiple Jira projects to access different repositories.

Is there a way to restrict the repositories listed, to only those pre-connected in the "Github for Jira" section?

Ideally we allow Jira to list all of our Repos, and Jira should respect the restrictions based on what repositories are connected. Or am I missing something?

[mlander]

If you can't enforce better separation, could you at least imply through UX the repos associated in the toolchain already?

So the following workflow:

1. Add repository to toolchain
2. Create issue with development field
3. Click 'Create branch'
4. In the options dropdown, see repositories already in the toolchain, and allow users to toggle visibility of non-toolchain repositories.

Currently, the lack of preselected or recommended repositories(based on toolchain) greatly increases the chance of human error each time someone creates a branch through the UI.

[GraemeMeyerGT]

To echo what others are saying, this is a serious security issue that will prevent us from using this addon. It's also I think what #1136 was asking about.

As it currently stands, the Jira-default "Member" permission for a project includes the "View Development Tools" permission, which means that any project administrator can assign any user (themselves included) the ability to access the development tools, which means anything connected via the GitHub app. I can't figure out any way to prevent this.

We have also observed that even users without a GitHub account at all can use the Jira features (like create branch etc.) on any GitHub repo, even if their Jira projects don't have the Code feature enabled. This really seems like an unacceptable security default - how can any moderately large organisation expect to use this app as it currently seems to work?

There needs to be a way on the Jira side to limit access to the GitHub tools to specific projects. Not all projects will be run by trusted or technically competent users, so relying on every single project administrator to be both technically competent and trusted with full access to the connected GitHub tools is just not sensible. If your Jira org has non-developer users they will have projects that are completely unrelated to development. If you bring external users into your Jira instance there's a good chance you won't want them to have access to development tools. If you want to give e.g. your interns or new staff members their own Jira project(s) to play around with and learn how to use Jira, you probably won't want them to have full access to your GitHub integrations.

[StevDa86]

I can't believe that these essential security features are being ignored. We also need this restriction, it can't be that just any Jira user can see all repos. This should always be checked with the user permission on the Github site. Only those who have authorization there should be able to see this information in Jira.

[z3030967]

Agreed, just integrated Jira Cloud with Github Cloud and all users in any project with Developer Tools have the ability to create branches in the Repositories that are synced.

[zemirco]

I totally agree and this is currently blocking our migration to Jira Cloud. Let me provide a few more details to explain our current situation.

1. We have installed and configured the Jira integration on the GitHub side.

   

2. We have also installed the integration on the Jira side.

   

3. I'm able to see the same repos on the Jira side that we've selected in step 1

   

4. In my Jira project I've used the Toolchain feature to assign only a single repo to the project.

   

5. This single repo also shows up in the Code section of the project

   

6. In my project I now select a backlog item and click on Create Branch

   ,

7. A new window opens and I can select the repo, the branch from and the branch name.

   

8. The problem is that now I'm able to select any repository from the larger list even though I as a user might not even have access. The list is also not limited to the single repo that we've configured in step 4.

   

Right now we have teams and teams have access to their individual repos. Team Blue has access to blue repos, Team Red has access to red repos, etc. This is all fine and ensures proper security and compliance controls.

The GitHub integration now sits in-between and doesn't act on behalf of the user. The integration has access to all repos and suddenly developers from Team Blue have access to red repos which is a security issue.

I tried to visualize it and I hope that also helps to clarify the situation.

Thank you and if you have any further questions or need additional details I'm happy to help. I would also volunteer to try some various settings or the next release of the integration that might solve this issue.

I see two options

1. The integration must act on behalf of the user. That way the integration can only see what the user is able to see.
2. The integration should limit the number of repos to the previously configured list of potential repos for a dedicated Jira project. That way our admins can specify which repos are mapped to which project and our users cannot accidentally create branches in repos that they don't have access to.

[zemirco]

We've done more research and unfortunately I have to confirm our developers were able to create branches in repositories they don't have access to. This is due to the integration not acting on behalf the user. Please see the official GitHub docs

https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-with-a-github-app-on-behalf-of-a-user

Currently the app acts on behalf of the application

https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app-installation

This leads to the very weird situation where our developers created branches via the integration and then clicked on the link to see the branch at GitHub only to see an error message that they don't have access to the repo.

In this screenshot you can see the branch that was created by jira[bot] and not by the user that was logged in while using the integration.

This really is an issue regarding security and compliance especially related to certifications like ISO, SOC 2, etc.

[AlexJ-CA]

Just installed this app today, and was looking for a way to limit which Jira project can do what in regards with GitHub, but indeed, still no way. The best I can do at the moment, is to limit which repo can be impacted and instruct the team here to do it from only a specific project The best I can do at the moment is to remove permissions for "Access development tools" from some permission schemes to at least control which projects can access to GitHub

What would be expected is to have this settings defining which repo a Jira project can access, which in a way could be just what is defined in the Toolchain setup as mentioned above as well

@mboudreau or anyone in charge of such at Atlassian side, any update you can share?

[zemirco]

I'm now looking at alternatives and I'm currently looking at GitKraken. They solve this problem via Personal Access Tokens.

https://help.gitkraken.com/git-integration-for-jira-cloud/require-personal-access-tokens-for-user-actions-create-branch-pull-request-gij-cloud/