This document discusses security and permissions management in JIRA. It provides best practices for server configuration including using strong passwords, firewalls, monitoring open ports, and SSL/HTTPS. It also covers JIRA security administration such as system administrator, project administrator, and workflow permissions. The document addresses issue security and hiding what users don't have permissions to see.

1. Tuesday, May 28, 13

2. JIRA Security And Permissions Management
Adam G. Saint-Prix
Enterprise Solutions Engineer
May 15th, 2013
Tuesday, May 28, 13

3. Enterprise
Update
Q & AJIRA Security
Tuesday, May 28, 13

4. 24 x 7 Phone & Online Support
Dedicated Enterprise Support Reps
Instance Profiles
Atlassian Enterprise Community
Enterprise Webinars
Enterprise Workshops
Atlassian University
Admin Courses
Enterprise Resources
Tuesday, May 28, 13

5. Tuesday, May 28, 13

6. JIRA Admin Training
Next class:
Sept 30, 2013
San Francisco, California
Admin Courses
Tuesday, May 28, 13

7. Tuesday, May 28, 13

8. Tuesday, May 28, 13

9. Atlassian Confluence Blueprints Webinar
May 28, 2013
Matt Hodges
Product Marketing Manager, Confluence
Tuesday, May 28, 13

10. Atlassian Confluence Blueprints Webinar
Technical Workshops in Development
ConfluenceTheme Design
JIRA Upgrade Best Practices
JIRA Integrations
DVCS Concepts with Stash & Git
May 28, 2013
Matt Hodges
Product Marketing Manager, Confluence
Tuesday, May 28, 13

11. Atlassian Enterprise Community
Tuesday, May 28, 13

12. Atlassian Enterprise FAQ
www.atlassian.com/licensing/enterprise-faq
More Questions?
http://www.atlassian.com/software/enterprise/overview/
contactus
Upgrade to Enterprise?
my.atlassian.com/purchase/
Tuesday, May 28, 13

13. Enterprise
Update
Q&AJIRA Security
Tuesday, May 28, 13

14. Enterprise
Update
Q&AJIRA Security
Tuesday, May 28, 13

15. Tuesday, May 28, 13

16. Security and Permissions
Management
Tuesday, May 28, 13

17. Exposure
• Balance usability and security
• Public internet vs. internal network
• Encryption
Tuesday, May 28, 13

18. Server Best Practices
• Named Users
• Strong Passwords
• at least 15 characters
• uppercase letters
• lowercase letters
• numbers
• Keys
• sudo
• Don’t run as root
Remember:
A"ackers
are
good
at
finding
the
cracks
8I=</-53UR>t(n5
Tuesday, May 28, 13

19. Firewalls and Routing
• Incoming Ports: 80, 443, 22
• Outgoing Ports? (smtp, pop/imap, db)
• No route to backend systems
Credit: NIST, modified by cpepe
sshd
JIRA
Server
DB
Server
RouterFirewall
A"acker
Tuesday, May 28, 13

20. Open Ports, strong daemons
• IDS
• Monitoring
• Firewall
• Routing
Tuesday, May 28, 13

21. SSL - Considerations
• Terminate in apache or tomcat?
• Application Links
• Make life easier
Tuesday, May 28, 13

22. SSL is tough
• Black box
• Chip away at it ‘til it works
• Hope to never touch it again (document because you will)
• Do it right, it protects you
Tuesday, May 28, 13

23. Why use SSL?
• Always for public facing systems
• Optional, recommended ‘behind the firewall’
• Optional, recommended for backend systems
h"ps://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS
Running
JIRA
over
SSL
or
HTTPS:
Helpful Atlassian resources:
h"ps://confluence.atlassian.com/display/JIRA/IntegraIng+JIRA+with+Apache
IntegraIng
JIRA
with
Apache:
h"ps://confluence.atlassian.com/display/JIRA/Installing+JIRA+on+Linux
Installing
JIRA
on
Linux:
h"ps://confluence.atlassian.com/display/JIRA/Tomcat+security+best+pracIces
Tomcat
Security
Best
PracIces:
* While Atlassian does provide some documents for SSL and Apache, Atlassian cannot guarantee providing support for these custom configurations
Tuesday, May 28, 13

24. JIRA Security
Administration
Tuesday, May 28, 13

25. System Administrator
Ability to perform all administration functions.There must be at least one group with
this permission.
JIRA Administrator
Ability to perform most administration functions (excluding Import & Export, SMTP
Configuration, etc.).
Project Administrator
This includes the ability to edit project role membership, project components, project
versions and some project details ('Project Name', 'URL', 'Project Lead', 'Project
Description').
Application Administration
Tuesday, May 28, 13

26. Voters&WatchersandTimeTrackingPermissionsomitted
Permissions
Scheme
Tuesday, May 28, 13

27. Workflow Conditions
Tip:
Using
roles
makes
workflows
more
reusable
Tuesday, May 28, 13

28. Issue Security
Tuesday, May 28, 13

29. Issue Security
JIRA
hides
what
we
don’t
have
permission
to
see
Tuesday, May 28, 13

30. Questions?
Tuesday, May 28, 13

31. Thank you!
Tuesday, May 28, 13