Background
Apps on the cloud version of Jira are a bit different from server/DC variants. Cloud apps have a peculiar user ‘App user’ on the instances where they are installed. This app user has access to all Jira projects & thus potentially this can be exploited (within the context of ARN) to bypass project restrictions and fetch issues from Jira that otherwise one would not have access to.
To prevent such a possibility, we are introducing a new parameter for rules called ‘Run rule as'.
Configuration
Jira admins can navigate to ARN configurations screen from Manage apps and then to the ‘ARN rules’ tab. This is where the ability to turn on ‘App user’ is available.
By default, it is turned off for all the instances & we DO NOT recommend turning it on. If it is turned on, then ARN end users can potentially create templates to fetch information that is not visible to them via Jira due to their permissions.
When turned on, the Jira admin can also configure the default value to be either ‘Creator of rule’ or ‘App user’.
Impact
Imagine if Alex created a rule in ARN some time ago & then after a while left the organisation, thus his Jira account was deactivated/deleted. Now if the rule was configured to be run by ‘Creator of rule’ then it will fail to fetch Jira issues because Alex doesn’t have access to Jira anymore.
In such scenarios, clone the rule and then delete the older one. New rule will have a new creator & it will work as expected.
