Fisheye and Crucible: Right of access by the data subject
Introduction
Under Article 15 of the GDPR, individuals have the right to understand what personal data is being processed about them and the lawfulness of the processing. The GDPR requires that you take reasonable steps to provide this information to the individual, where requested. Whether or not you need to provide the individual with access to personal data stored within the product and the lawfulness of the processing will vary on a case-by-case basis, and is a determination you should always make with the assistance of legal counsel. Once you have determined you have an obligation to provide an individual with access to personal data processed through the product, we have provided the following instructions on how to do so within certain Atlassian products.
Version compatibility
All workarounds are compatible with Fisheye and Crucible 4.1 and later.
Description
The information on this page describes how and where personal data is processed within Fisheye and Crucible.
Data storage
SQL database
Fisheye and Crucible uses HSQL, MS SQL, MySQL, Oracle or Postgres database.
Database location
You can find the database location in Administration > Database > URL. This location is stored in $FISHEYE_INST/config.xml file.
Personal data storage in SQL database
| Table | Column | Personal data | Editable by user? | How to modify by admin | How the personal data is used within the product |
|---|---|---|---|---|---|
| cru_base_star_model | cru_user_name | user name | Yes. Go to User > Profile settings > Watches and remove all watches. | Please follow the steps in Fisheye and Crucible: Right to erasure. | User can watch items from Fisheye and Crucible, so they get informed about any updates. |
| cru_recently_visited | cru_user_name | user name | No | User gets direct links to the items that were recently viewed by them. | |
| cru_committer_user_mapping | cru_committer_name | user name | Yes. Go to User > Profile settings > Author mapping > Delete. | User is mapped with the author of revision from repository. Information about user will be displayed, instead of information obtained from repository. | |
| cru_committer_user_mapping | cru_user_name | user name | |||
| cru_revision | cru_author_name | user name | No | User is displayed as the revision author in Crucible review. | |
| cru_user | cru_user_name | user name | No | Display information about user and identify their activity in the product. Email is also used to send messages about current activity. | |
| cwd_application_alias | user_name lower_user_name | user name | No | An ability to modify the data via Fisheye and Crucible UI depends on whether an internal or external user directory is used. In order to check which directories are being used, go to Administration > User Directories. When the internal directory is used, you can edit user data via Administration > Users. Use Edit user, Delete user or ... > Rename actions. Where an external directory is used, edit user data in that directory first, then perform a directory synchronisation. You can force a refresh via Administration > User Directories > Synchronize. In order to update data that's not visible in the UI, follow the steps in Fisheye and Crucible: Right to erasure. | |
| cwd_expirable_user_token | user_name | user name | No | ||
| cwd_expirable_user_token | email_address | No | |||
| cwd_membership | child_name lower_child_name | user name | No | ||
| cwd_user | first_name lower_first_name | first name | No | ||
| cwd_user | last_name lower_last_name | last name | No | ||
| cwd_user | display_name lower_display_name | display name | Yes/No. User > Profile settings | ||
| cwd_user | email_address lower_email_address | Yes/No. User > Profile settings | |||
| cwd_user | user_name lower_user_name | user name | No |
InfinityDB databases
Fisheye and Crucible persists indexed repository data in a proprietary InfinityDB database by BoilerBay. This is an EAV (Entity-Value-Attribute) store in proprietary format, accessible only via InfinityDB API (bundled with Fisheye and Crucible) code.
Database location
$FISHEYE_INST/var/cache/<repository name>/revcache/data.bin
Personal data storage in InfinityDB database
| Entity type | Personal data | Editable by user? | How to modify by admin | How the personal data is used within the product |
|---|---|---|---|---|
| E102 (E_AUTHOR_TO_REVID) | commit author | No | Fisheye mirrors information from source code repositories. Therefore, these repositories must be cleaned of personal data first, in order to remove them from Fisheye.
Code history may be treated as an audit log and be excluded from Article 17 of the GDPR. Please read Fisheye and Crucible: Right to erasure for more details. | To provide the history of indexed repository. |
| E100 A4 (RevInfo.A_AUTHOR) | commit author | No | ||
| E202 A3 (ChangeSetInfo.A_AUTHOR) | commit author | No |
Re-importing and re-indexing repositories may be a costly and lengthy operation.Repository clones
Fisheye and Crucible clones some types of repositories (Git, Mercurial) for faster access and better indexing performance.
Repository location
$FISHEYE_INST/var/cache/<repository-name>/clone
Personal data storage in repository clones
Entity type | Personal data | Editable by user? | How to modify by admin | How the personal data is used within the product |
|---|---|---|---|---|
| commit metadata | commit author, usually name, surname or nickname and author email | No | The repository would have to be rewritten (to remove personal data) and re-cloned in Fisheye. Please read Fisheye and Crucible: Right to erasure for more details. | To provide better performance. All information is also stored in the InfinityDB described above. |
Lucene indexes
Fisheye and Crucible uses a Lucene library to index repositories and code reviews for faster search operations.
Per-repository index location
$FISHEYE_INST/var/cache/<repository name>/idx1
$FISHEYE_INST/var/cache/<repository name>/idx2
Personal data storage in repository index
Entity type | Personal data | Editable by user? | How to modify by admin | How the personal data is used within the product |
|---|---|---|---|---|
| commit metadata | commit author, usually name, surname or nickname and author email | No | The repository would have to be rewritten (to remove personal data), re-cloned and fully re-indexed in Fisheye. Please read Fisheye and Crucible: Right to erasure for more details. | To search content related to the user. |
Global cross-repository index
Location
$FISHEYE_INST/cache/globalfe
Personal data storage in global cross-repository index
Entity type | Personal data | Editable by user? | How to modify by admin | How the personal data is used within the product |
|---|---|---|---|---|
| commit metadata | commit author, usually name, surname or nickname and author email | No | The repository would have to be rewritten (to remove personal data), re-cloned and fully reindexed in Fisheye. See Fisheye and Crucible: Right to erasure for more details. | To search content related to the user. |
Global Crucible index
Location
$FISHEYE_INST/cache/cruidx
Personal data storage in global Crucible index
| Entity type | Personal data | Editable by user? | How to modify by admin | How the personal data is used within the product |
|---|---|---|---|---|
ReviewItem | user name of: review author, creator, moderator, reviewers, participants | No | Please follows the steps in Fisheye and Crucible: Right to erasure. | To search content related to the user. |
CommentItem | user name of comment author | No | ||
StateChangeItem | user name of state change author | No | ||
CompletionItem | user name of completion author | No | ||
ReviewerJoinItem | user name of join author/reviewer | No |
User directories
Fisheye and Crucible allows user management in an internal user directory and/or to connect to an external directory, such as Crowd, Jira, LDAP or Microsoft Active Directory.
Location and content
Personal Data is kept in cwd_* tables, see SQL database section for more details.
File system
Personal data storage in file system
Entity type | Location | Personal data | Editable by user? | How to modify by admin | How the personal data is used within the product |
|---|---|---|---|---|---|
| Avatar file | $FISHEYE_INST/var/data/avatars | user photo | Yes. Navigate to Profile settings > Profile and email > Profile picture. | Please read Fisheye and Crucible: Right to erasure for more details. | To help identify the user in the application. |
| Application logs | $FISHEYE_INST/var/logs | user name | No | Delete log files. | To provide the history of server activity. |
| File attached to a code review | $FISHEYE_INST/var/data/uploads | unknown | No | Users can attach files to code reviews with any content. Review and delete those files containing personal data. | Part of Crucible functionality to create reviews. |
| Backup files | $FISHEYE_INST/backup | those described in previous sections | No | There is no way of editing backup files to remove personal data from them. We recommend defining a policy for storing backups. Please read Fisheye and Crucible: Right to erasure for more details. | To restore historical data. |
Data import
Fisheye and Crucible imports data that may include personal data, from a number of sources:
Data use
Fisheye and Crucible use personal data, in order to provide functionality like:
- presenting an author of a given change in the source code repository in various contexts:
- repository browser
- repository commit history
- search dialogs
- repository reports
- file history
- file blame
- user collaboration while performing a code review, for example:
- being an author, moderator or reviewer
- commenting on the review
- tracking of time spent on a code review
- executing actions on behalf of users, for example:
- transitioning Jira issues via smart commits
- creating Crucible code reviews via smart commits
- showing people's statistics, such as:
- number of commits in given repository
- number of lines added / removed
- presenting user profile (a photo, display name, email, user's activity)
Data export
Fisheye and Crucible allows you to export data (including personal data) in a number of ways:
- repository web hooks
- smart commits
- application links
- Java API
- REST API
- RSS Feeds
- repository activity
- user activity
- project activity
Limitations
Fisheye and Crucible allows user management through external services (for example, Crowd, Jira, LDAP or Microsoft Active Directory). Personal data can also be obtained from the indexed repositories. You'll need to make any edits or deletions of personal data within the external system.
Steps to delete personal data are covered in Fisheye and Crucible: Right to erasure.
Additional notes
There may be limitations based on your product version.
Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.
Third-party add-ons may store personal data in their own database tables or on the filesystem.
The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.
If you are a server or data center customer, Atlassian does not access, store, or otherwise process the personal data you choose to store within the products. For information about personal data Atlassian processes, see our Privacy Policy.