Jira Connector - Security Risk with Bi-Directional and Manual Push workflow options

Jeanne Howe

When a bi-directional or manual push workflow is created in the Jira Connector the connector does not respect Jira licensing or permissions. The connector only verifies the user creating the workflow and, when run against a smartsheet, the smartsheet owner has Jira access.

This creates a very large security risk and a corrupted audit trail. With this connector, smartsheet users without a Jira license are able to update and modify Jira tickets and data.

Example 1:

I create a smartsheet and set up a bi-directional workflow connector. Along with my smartsheet access, I have a Jira licenses and permissions within the project the smartsheet is referencing.

I then grant edit access to my smartsheet to Jane. Jane has access to my smartsheet but does not have a Jira license and does not have any permissions within Jira.

Jane updates the data in the smartsheet.

The connector updates all changes made by Jane against the Jira tickets, despite the fact that Jane does not have a Jira license or any permissions within Jira

Example 2:

I create a smartsheet and set up a bi-directional workflow connector. Along with my smartsheet access, I have a Jira licenses and permissions within the project the smartsheet is referencing.

I then grant edit access to my smartsheet to John. John has access to smartsheet. John has a Jira license but, John does not have any permissions within Jira project the smartsheet is referencing.

John updates the data in the smartsheet.

The connector updates all changes made by John in the Jira tickets, despite the fact that John does not have any permissions within the Jira project to update tickets.

This also leads to a corrupt audit trail as all updates via the Jira Connector come into Jira under the user name of the person who owns the smartsheet and not the actual editor of the data.

There are two ways to mitigate this issue:

1. Smartsheet updates the Jira Connector to verify the user editing the smartsheet has Jira access and Jira project permissions
2. Smartsheet updates the Jira Connector to allow admins to disable the Bi-Directional and Manual Push workflow options.

Shawn Reed

This scenarios described purely are the burden of the person building the connection between Jira and Smartsheet. If you allow users more access in Smartsheet than is enabled in Jira, then don't connect those data points in the way you describe. User another method; allow access to both or make them view only in Smartsheet. These two applications work together supporting each other with no intent or claims to enforce authentication.