Non-admin users able to install app in jira site




Platform Notice: Cloud - This article applies to Atlassian products on the cloud platform.

Summary

In Manage App > Audit logs events can be seen that non-admin user installed and authorized apps. 

Environment

Jira cloud

Diagnosis

  • If we login with user (whose allegedly installed app) in Jira site, navigate to App > Explore More Apps > There is not option to install app but only to request app. 
  • User is not able to see "Manage Apps" option
  • In audit Log section we see these kinds of events:

  • As shown in screenshot, the event does not have app-key mentioned.

Cause

  • This event shows up when user tries to connect Jira site from a third party app via Oauth. 
  • Example - In above shown example, the user installed GitKraken client on his machine and then connected to his Jira account to import Jira issues. 
  • Doing so user gave GitKraken access to Jira data via his account. GitKraken will only be able to access the data which user is allowed to see and nothing more. 
  • The events we see only depicts that mentioned user gave access to a third party app and does not mean that app is installed in Jira site.

Solution

If user do not want this connection to continue, he can navigate to https://id.atlassian.com/manage-profile/apps and revoke access for third party app (GitKRaken in above example).

OR Admins can also do the same on user's behalf by removig app from "Connected Apps" section on admin.atlassian.com portal. 

Reference - https://support.atlassian.com/security-and-access-policies/docs/manage-your-users-third-party-apps/


Last modified on Aug 30, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.