Bamboo: Right of access by the data subject
Under Article 15 of the GDPR, individuals have the right to understand what personal data is being processed about them and the lawfulness of the processing. The GDPR requires that you take reasonable steps to provide this information to the individual, where requested. Whether or not you need to provide the individual with access to personal data stored within the product and the lawfulness of the processing will vary on a case-by-case basis, and is a determination you should always make with the assistance of legal counsel. Once you have determined you have an obligation to provide an individual with access to personal data processed through the product, we have provided the following instructions on how to do so within certain Atlassian products.
Description
Personal Data (PD) for a specific user can be spread across multiple components of Bamboo. In this article, we'll detail how to locate and access this data, and we'll also provide workarounds for you, to ensure that you can access all personal data for a specific user if required.
Below is a list of key data held by Bamboo versions 6.5 and above, in a default configuration:
Where Bamboo can store PD | Storage Location | Accessible Via | Purpose & additional information | |
---|---|---|---|---|
1 | Username for authentication purpose | Database |
|
|
2 | User permission | Database |
|
|
3 | Repository commit author | Database |
|
|
4 | Result comments author | Database |
|
|
5 | User responsible | Database |
|
|
6 | Favorite builds | Database |
|
|
7 | Approver of deployment version | Database |
|
|
8 | Lucene Documents | Filesystem |
|
|
9 | Artifacts | Filesystem |
|
|
10 | Application Logs
| Filesystem |
|
|
11 | Agent logs
| Filesystem |
|
|
12 | Build logs | Filesystem |
|
|
13 | Audit Logs | Database |
|
|
14 | Backups | Filesystem |
|
|
15 | Support Zips | Filesystem |
|
|
16 | Emails | Database Mail Server Client Systems |
|
|
17 | IM | Database IM Server Client Systems |
|
|
18 | Avatars | External Systems (Gravatar) |
|
|
19 | User Profile | Database |
|
|
20 | Application Cache | Memory Filesystem |
|
|
21 | Plugins / Integrations | Database Filesystem Other |
|
|
22 | Group names | Database External directory |
|
|
23 | Dashboards | Database |
|
|
24 | Bamboo reports | Database |
|
|
Version Compatibility
All workarounds are compatible with Bamboo 6.5 and later.
Workaround
Steps presented below should be repeated after any new PD is found as any PD can be used to discover more PD.
PD in "structured" data
Obtain PD from a User profile
Before you begin
You must have global administrator permission to be able to manage users in Bamboo applications.
- Select > User Management.
- Find the user in the user list using the filter form at the top of the page.
- Access the user details.
- Store data from "User details" section for later usage (e.g. in additional SQL queries on a database):
- Username
- Full name
PD in "free-form text" data fields
Dealing with free-form text fields:
- You have to modify the provided SQL file - replace <OLD_VALUE> to the PD that you are searching for.
Execute script from the SQL file manually, table by table. Each table description should contain additional information on the purpose of the table
PD in Logs
An administrator can filter access logs by username for IP addresses
Bamboo - Right to be forgotten - Server logs
PD in backups
Note, some PD will remain in backup logs for the entireity of the time that the backup log is kept.
Limitations
- PD stored inside artifacts or attachments cannot be found using the above steps as we have no way of knowing what is stored inside each artifact or attachment file.
- Access to database is required
- Data could be stored inside third party plugins and not discovered via querying DB (plugin tables are not included in sql scripts provided on this page)
Article 25 of the GDPR sets forth the principle of data protection by design and by default. This is a broad principle with varying meaning and application depending on the context and type of personal data being processed. This principle is unique to each organization, and should always be evaluated with the assistance of legal counsel to determine all efforts required to comply. These efforts may include ensuring certain third party applications you use to process personal data are configured to default to the most privacy-friendly settings available whenever personal data is input. Below is a summary of relevant settings and configurations available through certain Atlassian products, and a discussion of any limitations.