External Customers are able to add Internal Comments to tickets
Platform Notice: Cloud - This article applies to Atlassian products on the cloud platform.
Summary
This article addresses the reasons behind customers' ability to add Internal Comments on Issues within Jira Service Management Projects.
Cause
Occasionally, project customers possess the ability to include internal comments within ongoing issues, which is due to a persistent BUG
- JRACLOUD-84127 - Permission scheme allows unlicensed users to add internal comments to issues
- A typical Interaction between a customer and a Jira Service Management Project occurs via the email address configured in the Project Settings > Email Requests: Receive requests from an email address for Jira Service Management.
On the other hand, we have Jira Core mail handler in Settings > System > Incoming Mail. This handler is for Jira users with application access (users with a license) and is not to be used with Service Management customers (users without a license).
What is the underlying cause of Internal Comments being added to JSM Projects?
If end customers direct emails to the Global Mail Handler (located in Settings > System > Incoming Mail) rather than the JSM Projects Incoming Mail (found in Project Settings > Email Requests), and have the following conditions fulfilled, the email will be appended as an Internal Comment to the respective JSM issue.
- If there is a Valid Issue-Key present in the Subject Line of the Email
- When customers possess the explicit "Add Comment" permission, we have observed that granting the 'Reporter,' 'Service Desk Customers' (project role), or 'Service Desk Team (Project Role)' permissions for the "Add Comments" in the permissions scheme results in customer replies to service desk notifications being added as internal comments when the email is directed to the Global Mail Handler (Settings > System > Incoming Mail).
Solution
What preventive measures can be implemented to avert this scenario?
- kindly advise customers against forwarding emails that include the Jira Global Mail handler in the To or CC list. Alternatively, removing the public permission for Add Comments is an option, but it may result in emails not being processed by the Jira mail handler, requiring manual investigation through the logs to identify potential issues.
- Consider adopting a custom mail handler for incoming mail as a viable solution. You can effectively resolve this by configuring this custom email as the Jira notification address. For comprehensive instructions, please refer to the provided documentation.: Add-custom-email-addresses-for-product-notifications