Fisheye and Crucible: Right of access by the data subject

Introduction

Under Article 15 of the GDPR, individuals have the right to understand what personal data is being processed about them and the lawfulness of the processing. The GDPR requires that you take reasonable steps to provide this information to the individual, where requested. Whether or not you need to provide the individual with access to personal data stored within the product and the lawfulness of the processing will vary on a case-by-case basis, and is a determination you should always make with the assistance of legal counsel.  Once you have determined you have an obligation to provide an individual with access to personal data processed through the product, we have provided the following instructions on how to do so within certain Atlassian products. 


Version compatibility

All workarounds are compatible with Fisheye and Crucible 4.1 and later.


Description

The information on this page describes how and where personal data is processed within Fisheye and Crucible. 

Data storage

SQL database

Fisheye and Crucible uses HSQL, MS SQL, MySQL, Oracle or Postgres database.

Database location

You can find the database location in Administration > Database > URL. This location is stored in $FISHEYE_INST/config.xml file.

Personal data storage in SQL database

Table Column Personal data Editable by user? How to modify by admin How the personal data is used within the product
cru_base_star_model

cru_user_name

user name Yes. Go to User > Profile settings > Watches and remove all watches. Please follow the steps in Fisheye and Crucible Server: Right to Erasure. User can watch items from Fisheye and Crucible, so they get informed about any updates.
cru_recently_visited cru_user_name user name No User gets direct links to the items that were recently viewed by them.
cru_committer_user_mapping cru_committer_name user name Yes. Go to User > Profile settings > Author mapping > Delete. User is mapped with the author of revision from repository. Information about user will be displayed, instead of information obtained from repository.
cru_committer_user_mapping cru_user_name user name
cru_revision cru_author_name user name No User is displayed as the revision author in Crucible review.
cru_user cru_user_name user name No

Display information about user and identify their activity in the product. Email is also used to send messages about current activity.

cwd_application_alias

user_name

lower_user_name

user name No

An ability to modify the data via Fisheye and Crucible UI depends on whether an internal or external user directory is used. In order to check which directories are being used, go to Administration > User Directories.

When the internal directory is used, you can edit user data via Administration > Users. Use Edit user, Delete user or ... > Rename actions.

Where an external directory is used, edit user data in that directory first, then perform a directory synchronisation. You can force a refresh via Administration > User Directories > Synchronize.

In order to update data that's not visible in the UI, follow the steps in Fisheye and Crucible Server: Right to Erasure.

cwd_expirable_user_token user_name user name No
cwd_expirable_user_token

email_address

email No
cwd_membership

child_name

lower_child_name

user name No
cwd_user

first_name

lower_first_name

first name

No

cwd_user

last_name

lower_last_name

last name No
cwd_user

display_name

lower_display_name

display name Yes/No. User > Profile settings
cwd_user

email_address

lower_email_address

email Yes/No. User > Profile settings
cwd_user

user_name

lower_user_name

user name No


InfinityDB databases

Fisheye and Crucible persists indexed repository data in a proprietary InfinityDB database by BoilerBay. This is an EAV (Entity-Value-Attribute) store in proprietary format, accessible only via InfinityDB API (bundled with Fisheye and Crucible) code.

Database location

$FISHEYE_INST/var/cache/<repository name>/revcache/data.bin

Personal data storage in InfinityDB database

Entity type Personal data Editable by user? How to modify by admin How the personal data is used within the product
E102 (E_AUTHOR_TO_REVID) commit author No

Fisheye mirrors information from source code repositories. Therefore, these repositories must be cleaned of personal data first, in order to remove them from Fisheye.

(warning) Re-importing and re-indexing repositories may be a costly and lengthy operation.

Code history may be treated as an audit log and be excluded from Article 17 of the GDPR.

Please read Fisheye and Crucible: Right to erasure for more details.

To provide the history of indexed repository.
E100 A4 (RevInfo.A_AUTHOR) commit author No
E202 A3 (ChangeSetInfo.A_AUTHOR) commit author No


Repository clones

Fisheye and Crucible clones some types of repositories (Git, Mercurial) for faster access and better indexing performance. 

Repository location

$FISHEYE_INST/var/cache/<repository-name>/clone

Personal data storage in repository clones

Entity type

Personal data

Editable by user?

How to modify by admin

How the personal data is used within the product
commit metadata

commit author, usually name, surname or nickname and author email

No

The repository would have to be rewritten (to remove personal data) and re-cloned in Fisheye.

Please read Fisheye and Crucible: Right to erasure for more details.

To provide better performance. All information is also stored in the InfinityDB described above.

Lucene indexes

Fisheye and Crucible uses a Lucene library to index repositories and code reviews for faster search operations.

Per-repository index location

$FISHEYE_INST/var/cache/<repository name>/idx1

$FISHEYE_INST/var/cache/<repository name>/idx2

Personal data storage in repository index

Entity type

Personal data

Editable by user?

How to modify by admin

How the personal data is used within the product
commit metadata

commit author, usually name, surname or nickname and author email

No

The repository would have to be rewritten (to remove personal data), re-cloned and fully re-indexed in Fisheye.

Please read Fisheye and Crucible: Right to erasure for more details.

To search content related to the user.

Global cross-repository index

Location

$FISHEYE_INST/cache/globalfe

Personal data storage in global cross-repository index

Entity type

Personal data

Editable by user?

How to modify by admin

How the personal data is used within the product
commit metadata

commit author, usually name, surname or nickname and author email

No

The repository would have to be rewritten (to remove personal data), re-cloned and fully reindexed in Fisheye. See Fisheye and Crucible: Right to erasure for more details.

To search content related to the user.

Global Crucible index

Location

$FISHEYE_INST/cache/cruidx

Personal data storage in global Crucible index

Entity type Personal data Editable by user? How to modify by admin How the personal data is used within the product

ReviewItem

user name of: review author, creator, moderator, reviewers, participants

No

Please follows the steps in Fisheye and Crucible Server: Right to Erasure.

To search content related to the user.

CommentItem

user name of comment author No

StateChangeItem

user name of state change author No

CompletionItem

user name of completion author No

ReviewerJoinItem

user name of join author/reviewer No

User directories

Fisheye and Crucible allows user management in an internal user directory and/or to connect to an external directory, such as Crowd, Jira, LDAP or Microsoft Active Directory. 

Location and content

Personal Data is kept in cwd_* tables, see SQL database section for more details.

File system

Personal data storage in file system

Entity type

Location

Personal data

Editable by user?

How to modify by admin

How the personal data is used within the product
Avatar file $FISHEYE_INST/var/data/avatars user photo Yes. Navigate to Profile settings > Profile and email > Profile picture. Please read Fisheye and Crucible Server: Right to Erasure for more details. To help identify the user in the application.
Application logs $FISHEYE_INST/var/logs user name No Delete log files. To provide the history of server activity.
File attached to a code review

$FISHEYE_INST/var/data/uploads

unknown No

Users can attach files to code reviews with any content.

Review and delete those files containing personal data.

Part of Crucible functionality to create reviews.
Backup files $FISHEYE_INST/backup those described in previous sections No

There is no way of editing backup files to remove personal data from them.

We recommend defining a policy for storing backups. Please read Fisheye and Crucible Server: Right to Erasure for more details.

To restore historical data.


Data import

Fisheye and Crucible imports data that may include personal data, from a number of sources:

Data use

Fisheye and Crucible use personal data, in order to provide functionality like:

  • presenting an author of a given change in the source code repository in various contexts: 
    • repository browser
    • repository commit history
    • search dialogs
    • repository reports
    • file history
    • file blame
  • user collaboration while performing a code review, for example:
    • being an author, moderator or reviewer
    • commenting on the review
    • tracking of time spent on a code review
  • executing actions on behalf of users, for example:
    • transitioning Jira issues via smart commits
    • creating Crucible code reviews via smart commits
  • showing people's statistics, such as:
    • number of commits in given repository
    • number of lines added / removed
  • presenting user profile (a photo, display name, email, user's activity)

Data export

Fisheye and Crucible allows you to export data (including personal data) in a number of ways:

Limitations

Fisheye and Crucible allows user management through external services (for example, Crowd, Jira, LDAP or Microsoft Active Directory). Personal data can also be obtained from the indexed repositories. You'll need to make any edits or deletions of personal data within the external system. 

Steps to delete personal data are covered in Fisheye and Crucible: Right to erasure.


Additional notes

There may be limitations based on your product version.

Note, the above-related GDPR workaround has been optimized for the latest version of this product. If you are running on a legacy version of the product, the efficacy of the workaround may be limited. Please consider upgrading to the latest product version to optimize the workarounds available under this article.

Third-party add-ons may store personal data in their own database tables or on the filesystem.

The above article in support of your GDPR compliance efforts applies only to personal data stored within the Atlassian server and data center products. To the extent you have installed third-party add-ons within your server or data center environment, you will need to contact that third-party add-on provider to understand what personal data from your server or data center environment they may access, transfer or otherwise process and how they will support your GDPR compliance efforts.

If you are a server or data center customer, Atlassian does not access, store, or otherwise process the personal data you choose to store within the products. For information about personal data Atlassian processes, see our Privacy Policy.

Last modified on May 11, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.