Bamboo: Right of access by the data subject

Under Article 15 of the GDPR, individuals have the right to understand what personal data is being processed about them and the lawfulness of the processing. The GDPR requires that you take reasonable steps to provide this information to the individual, where requested. Whether or not you need to provide the individual with access to personal data stored within the product and the lawfulness of the processing will vary on a case-by-case basis, and is a determination you should always make with the assistance of legal counsel.  Once you have determined you have an obligation to provide an individual with access to personal data processed through the product, we have provided the following instructions on how to do so within certain Atlassian products. 

Description

Personal Data (PD) for a specific user can be spread across multiple components of Bamboo. In this article, we'll detail how to locate and access this data, and we'll also provide workarounds for you, to ensure that you can access all personal data for a specific user if required.

Below is a list of key data held by Bamboo versions 6.5 and above, in a default configuration:


Where Bamboo can store PD Storage Location Accessible Via Purpose & additional information
1 Username for authentication purpose Database
  • Database
  • Number of unsuccessful login attempts
  • Password reset token sent to the user
  • Information to support "remember me" feature
2

User permission

Database
  • UI
  • REST API
  • Database
  • Username may be displayed on any bamboo permission screen:
    • global permissions
    • project permissions
    • plan permissions
    • deployment project permissions
3 Repository commit author Database
  • UI
  • REST API
  • Database
  • Commits and their authors
  • Source of this data is an external source code repository
  • It's stored in a database for various features (most importantly, to show what was build by a job which is within the deployment version release, set failed build responsible person)
  • It's retrieved and cached by the server during plan change detection
  • It's retrieved and cached by an agent during checkout task within a job
4 Result comments author Database
  • UI
  • REST API
  • Database
  • Users may add comments to build results
  • Author of comment is stored and displayed to others who have the view access to this result.
5 User responsible Database
  • UI
  • Database
  • It's a build result property
  • It tracks which user is responsible for build failure
  • It is set automatically based on commit author, can also be set/changed manually
6 Favorite builds Database
  • Database
  • Favourite builds are kept in the database ordered by username
  • From UI, a user can see only their favorite builds
  • SQL database can retrieve usernames
7 Approver of deployment version Database
  • UI
  • REST API
  • Database
  • Deployment version can be approved by a user.
8 Lucene Documents Filesystem
  • Filesystem
  • Whenever any domain object is created or modified in Bamboo, Lucene documents are created; these documents contain the contents from the fields of that object.
  • Here are examples of domain objects: plan, result, deployment project, deployment version, environment, release.
  • Here are examples of fields that are put into Lucene: name and description of an object, label name, repository commit id, artifact link, custom build data, trigger reason etc.
  • More information in https://confluence.atlassian.com/bamboo/reindexing-data-289277251.html.
9 Artifacts Filesystem
  • UI
  • REST API
  • Filesystem
10

Application Logs

  • ${bamboo_home}/log/*
  • access_log
  • catalina.out
Filesystem
  • Filesystem
  • Logs various aspects of Bamboo operations for troubleshooting purposes.
  • May contain any arbitrary information, including user information.
11

Agent logs

  • atlassian-bamboo-agent.log
  • atlassian-bamboo.log
  • bamboo-elastic-agent.out
Filesystem
  • UI
  • Filesystem
  • Logs various aspects of Bamboo agent operations for troubleshooting purposes.
  • May contain any arbitrary information, including user information.
12 Build logs Filesystem
  • UI
  • Filesystem
  • They are part of build result product produced during a build.
  • May contain any arbitrary information, including user information.
13 Audit Logs Database
  • UI
  • REST API
  • Database
14 Backups Filesystem
  • Filesystem
15 Support Zips Filesystem
  • Filesystem
  • Collects configuration information from Bamboo and various logs for transmission to Atlassian Support.
  • Logs may contain personal data.
  • More information in Create a Support Zip.
16 Emails

Database

Mail Server

Client Systems

  • Database
  • External Systems
  • Notifications to users about finishing builds, failing builds, adding comments to results, changing people responsible for results failing.
  • Notifications are pluggable, so third-party plugins may change this behavior.
  • Notifications may include any arbitrary information, including personal data.
  • Emails are stored internally in Bamboo, and contents will be stored on the email server and/or email clients.
17 IM

Database

IM Server

Client Systems

  • Database
  • External Systems
  • Notifications to users about finishing builds, failing builds, adding comments to results, changing people responsible for results failing.
  • Notifications are pluggable, so third-party plugins may change this behavior
  • Notifications may include any arbitrary information, including personal data.
  • IM addresses are stored internally in Bamboo, and contents will be stored on the IM server and/or IM clients.
18 Avatars

External Systems (Gravatar)

  • External Systems
  • Avatar is displayed in Bamboo through Gravatar service
  • Bamboo Server is not storing avatar - it's handled directly with user browser
19 User Profile Database
  • Database
  • Stores user details including username, full name, email address.
20 Application Cache

Memory

Filesystem

  • Filesystem
  • Memory
  • Store data in memory to speed-up lookups (no expensive DB access needed)
  • Server restart will clean/refresh this data
21 Plugins / Integrations

Database

Filesystem

Other

  • UI
  • REST API
  • Different type of plugins - any functionality can be implemented within a plugin.
  • It must be analysed case by case basis
22 Group names

Database

External directory

  • UI
  • REST API
  • Used for categorizing users. There is a possibility to store PD in group names if e.g. group name contains a reference to religion/race/gender and there are some uses assigned to that group.
23 Dashboards Database
  • UI
  • Reason of the build contains full username for most build triggers
24 Bamboo reports Database
  • UI
  • Usually reports show time or numbers in the aggregated form
  • Third-arty reports can for example aggregate data by user etc.

Version Compatibility

All workarounds are compatible with Bamboo 6.5 and later.

Workaround

Steps presented below should be repeated after any new PD is found as any PD can be used to discover more PD.

PD in "structured" data

Obtain PD from a User profile

Handling profile data

Before you begin

You must have global administrator permission to be able to manage users in Bamboo applications.

  1. Select  User Management.
  2. Find the user in the user list using the filter form at the top of the page.
  3. Access the user details.
  4. Store data from "User details" section for later usage (e.g. in additional SQL queries on a database):
    1. Username
    2. Full name
    3. Email

PD in "free-form text" data fields

Dealing with free-form text fields


  1. You have to modify the provided SQL file - replace <OLD_VALUE> to the PD that you are searching for.
  2. Execute script from the SQL file manually, table by table. Each table description should contain additional information on the purpose of the table

PD in Logs

An administrator can filter access logs by username for IP addresses
Bamboo - Right to be forgotten - Server logs

PD in backups

Note, some PD will remain in backup logs for the entireity of the time that the backup log is kept.

Limitations

  • PD stored inside artifacts or attachments cannot be found using the above steps as we have no way of knowing what is stored inside each artifact or attachment file.
  • Access to database is required
  • Data could be stored inside third party plugins and not discovered via querying DB (plugin tables are not included in sql scripts provided on this page)

Article 25 of the GDPR sets forth the principle of data protection by design and by default. This is a broad principle with varying meaning and application depending on the context and type of personal data being processed. This principle is unique to each organization, and should always be evaluated with the assistance of legal counsel to determine all efforts required to comply. These efforts may include ensuring certain third party applications you use to process personal data are configured to default to the most privacy-friendly settings available whenever personal data is input. Below is a summary of relevant settings and configurations available through certain Atlassian products, and a discussion of any limitations. 

Last modified on Jun 29, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.