Crowd: Right of access by the data subject
Introduction
Under Article 15 of the GDPR, individuals have the right to understand what personal data is being processed about them and the lawfulness of the processing. The GDPR requires that you take reasonable steps to provide this information to the individual, where requested. Whether or not you need to provide the individual with access to personal data stored within the product and the lawfulness of the processing will vary on a case-by-case basis, and is a determination you should always make with the assistance of legal counsel. Once you have determined you have an obligation to provide an individual with access to personal data processed through the product, we have provided the following instructions on how to do so within certain Atlassian products.
Description
Crowd processes user information, in order to deliver it's main functionalities – user management and single sign-on.
Version compatibility
All workarounds are compatible with Crowd 3.2 and later.
Workaround
Administrators need to configure Crowd, to allow users to log in and view personal data on their profile page.
Please read Granting Crowd User Rights to a User and follow the steps on how to authorize users to access Crowd.
Crowd audit log information
This information isn't accessible to the users in the product, but Crowd administrators can retrieve all entries in the Crowd audit log for a specific user, by using the following REST API:
curl '<CROWD BASE URL>/rest/admin/latest/auditlog/query' -u '<ADMIN USERNAME>:<ADMIN PASSWORD>' \
-H 'content-type: application/json' -H 'accept: application/json' \
--data-binary '{"authors":[{"id":<USER DATABASE ID>,"type":"USER"}]}'
curl '<CROWD BASE URL>/rest/admin/latest/auditlog/query' -u '<ADMIN USERNAME>:<ADMIN PASSWORD>' \
-H 'content-type: application/json' -H 'accept: application/json' \
--data-binary '{"users":[{"id":<USER DATABASE ID>}]}'
Where <CROWD BASE URL> is the base url of your Crowd instance, <ADMIN USERNAME> and <ADMIN PASSWORD> are Crowd administrator credentials, and <USER DATBASE ID> is the numeric identifier of the user in the Crowd database.
Please read Crowd REST API Reference for more information on querying the audit log.
Additional notes
There may be limitations based on your product version.
Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.
Third-party add-ons may store personal data in their own database tables or on the filesystem.
The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.
If you are a server or data center customer, Atlassian does not access, store, or otherwise process the personal data you choose to store within the products. For information about personal data Atlassian processes, see our Privacy Policy.