New Preview Permissions

DanielS · ‎01 Jun 2023

Sometime between versions 1.258 and 1.267, the preview functionality in auto-tagging now requires different permissions, I couldn't find in the documentation when this change was implemented.

Prior to this, we had a major headache when the permission to close issues changed to the configuration role of change-monitoring-settings.

Please, these permission changes are a big problem for some of us because we have a strict security strategy in place and many users start calling to get back what they had before and the impact is not as easy as giving them more permissions. Again I would love to have the option to set this feature as optional and not required or not.

The true delight is in the finding out rather than in the knowing.

ChadTurner · ‎01 Jun 2023

Cant agree more

-Chad

michael_k · ‎02 Jun 2023

Hi @DanielS!

This change was introduced with version 1.259 and was a security bug fix. With the transition of the current shape of the auto-tagging settings page in version 1.245, the option was introduced to delegate access to non-admins. This meant that the page could be made accessible to users that don't have full environment-view permissions (which is implied for the blanket "change monitoring settings" permission). So while this is not extremely sensitive in many cases, users with few privileges could have potentially seen more (as in entities) of the environment than they were intended to.

Regrettably, the prepared release notes were not added to the published notes due to an internal process issue. While the root cause has been fixed already, this ticket was not correctly added to the already published information. We're, of course, amending the release notes for version 1.259 soon.

I hope this sheds some light on why the change was introduced - my apologies if this caused issues for you.