Bulk change public access for filters/ boards/ dashboards
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Before performing any of the operations described in this article, it is highly recommended to perform a backup.
As advised in https://support.atlassian.com/migration/docs/jira-pre-migration-checklist/, it is recommended to restrict public access on the on-premise instance when preparing for a migration to the cloud.
This page provides an alternative to the well-known manual workaround, introducing workarounds for bulk removing public access for filters, boards, and dashboards. This can be especially useful when an instance has multiple entities in this situation before migrating to Atlassian Cloud.
Below is a list of bugs/feature requests directly associated with the Bulk operation:
- JRASERVER-47671 - Bulk Update JIRA Filter's "Shared With" Configuration
- JRASERVER-65489 - Bulk edit filter sharing/permissions
Bulk change public access for filters/ boards
1. Replace with “loggedin” permission ( database approach)
The best approach to change public access for filters to “loggedin” users is to actually change it in bulk directly in the database, because choosing the REST API approach for this specific type of permission (loggedin) will overwrite all the other permissions ( including “Edit” permission). By performing the below queries, the “View” permission set to “Anyone on the web” will be removed and replaced with a permission to view only for logged in users.
Boards inherit the filter’s permission, so by changing the filter’s view permission, the board will also be fixed.
Solution:
Jira keeps permission caches and as there is no way of clearing Jira cache from UI, this solution will require restart, as restart is currently the only way of clearing the cache.
JRASERVER-66095 - Getting issue details... STATUS
Take a backup of your Jira instance in your preferred method of backup ( XML or database);
Stop Jira;
Execute the below update query ( query syntax applicable to all supported database types):
UPDATE sharepermissions SET sharetype='loggedin' WHERE sharetype='global' AND entitytype='SearchRequest';
Start Jira;
2. Replace the global permission and grant “View” permission to one or multiple project/ groups via script
In cases where the migrator does not want to change the public permissions to logged in, the following script can be used to bulk update the “View” permission to one or more groups/ projects:
The script uses REST API calls to perform the operations.
The pair username/ password is encoded ( base64) when the request is made to improve security.
It utilises a logger to log the execution
Download the below script:
bulk_update_filters_permission.zip
The script works as follows:
Grabs input from migrator;
For each of the filters in the filters.csv file, script will first check if it has global permission and then remove it using a DELETE call to this endpoint . Based on migrator’s input, will add the requested permission/s via POST to this endpoint
The script will log the “execution.log” file that will contain the log of the complete execution.
Solution:
To execute the script, we will need the desired filters ids from the database. Execute the below query and save the output in a csv file called “filters.csv” ( comma delimited ) . Make sure to export the file in the same directory as the script;
The following example will generate the ids of all the filters being “shared with anyone on the web”:
SELECT DISTINCT(entityid) AS id
FROM sharepermissions s
WHERE entitytype='SearchRequest' AND sharetype='global';2. Execute the python script and input all the needed data requested by the script. A successful execution should look like below:
XXXXX@D6L691WGG9 bulk_permis % python3.9 bulk_filter_ops.py
Please enter your JIRA instance base URL: i.e. https://myjira.com https://xxxxxxxx.com/jira
Please enter your JIRA username: admin
Please enter your JIRA password: XXXXXXXXXX
Would you like to replace the public permission with group/ groups permissions or project/projects? Accepted values are 'group', 'project' ->group
Please provide the group names for the groups you want to have View permission instead of global, separated by commas: this-group,jira-group,something-group3. The script will generate a log file called “execution.log” , kindly check for errors.
Using the script will only add the needed “View” permissions ( group/s or project/s) and will keep intact all the “Edit” permissions.
Bulk change public access for dashboards
Unfortunately, there is no endpoint to allow modification of the dashboard's permissions, so the operation will have to be executed on the database. Below you will find the solution to bulk change the 'global' view permission to 'loggedin' - this way, only the logged in Jira users will be able to view the dashboard.
Solution
Take a backup of your Jira instance in your preferred method of backup (XML or database);
Stop Jira;
- Use the following query to verify if the Dashboards returned are the ones you're interested in modifying. Please navigate to Manage Dashboards. Here, move your mouse over each dashboard. You will notice the Dashboard ID at the end of the URL, which is displayed at the bottom of your screen. Please ensure that the Dashboard ID matches the entityid in the returned result.
SELECT * from sharepermissions WHERE sharetype='global' AND entitytype='PortalPage'; If the above query returns the correct records that require updates, execute the below update query (query syntax applicable to all supported database types):
UPDATE sharepermissions SET sharetype='loggedin' WHERE sharetype='global' AND entitytype='PortalPage';
5. Start Jira