Non-admin users able to install app in jira site
Platform Notice: Cloud - This article applies to Atlassian products on the cloud platform.
Summary
In Manage App > Audit logs events can be seen that non-admin user installed and authorized apps.
Environment
Jira cloud
Diagnosis
- If we login with user (whose allegedly installed app) in Jira site, navigate to App > Explore More Apps > There is not option to install app but only to request app.
- User is not able to see "Manage Apps" option
- In audit Log section we see these kinds of events:
- As shown in screenshot, the event does not have app-key mentioned.
Cause
- This event shows up when user tries to connect Jira site from a third party app via Oauth.
- Example - In above shown example, the user installed GitKraken client on his machine and then connected to his Jira account to import Jira issues.
- Doing so user gave GitKraken access to Jira data via his account. GitKraken will only be able to access the data which user is allowed to see and nothing more.
- The events we see only depicts that mentioned user gave access to a third party app and does not mean that app is installed in Jira site.
Solution
If user do not want this connection to continue, he can navigate to https://id.atlassian.com/manage-profile/apps and revoke access for third party app (GitKRaken in above example).
OR Admins can also do the same on user's behalf by removig app from "Connected Apps" section on admin.atlassian.com portal.
Reference - https://support.atlassian.com/security-and-access-policies/docs/manage-your-users-third-party-apps/